CVE-2022-42125

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.4.3.5 through 7.4.3.35 Liferay DXP 7.4 update 1 through update 34

Description The issue allows attackers to create or overwrite existing files on the filesystem via the deployment of a malicious plugin/module. This is due to a zip slip vulnerability in FileUtil.unzip.

Recommendations For Liferay Portal versions 7.4.3.5 through 7.4.3.35, consider disabling the FileUtil.unzip function until a patch is available. For Liferay DXP 7.4 update 1 through update 34, restrict the deployment of plugins/modules to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.