PT-2022-26269 · Elastic+1 · Elasticsearch+4
Published
2022-11-15
·
Updated
2025-09-05
·
CVE-2022-42123
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Liferay Portal versions 7.3.3 through 7.4.3.18
Liferay DXP versions 7.3 before update 6
Liferay DXP versions 7.4 before update 19
Description
A Zip slip vulnerability in the Elasticsearch Connector allows attackers to create or overwrite existing files on the filesystem via the installation of a malicious Elasticsearch Sidecar plugin.
Recommendations
For Liferay Portal versions 7.3.3 through 7.4.3.18, update to a version outside of this range to resolve the issue.
For Liferay DXP versions 7.3 before update 6, apply update 6 or later to fix the vulnerability.
For Liferay DXP versions 7.4 before update 19, apply update 19 or later to fix the vulnerability.
As a temporary workaround, consider restricting the installation of Elasticsearch Sidecar plugins to minimize the risk of exploitation.
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Elasticsearch
Connector
Sidecar
Liferay Dxp
Liferay Portal