PT-2022-26279 · Liferay · Liferay Portal+1
Published
2022-11-15
·
Updated
2025-04-30
·
CVE-2022-42132
CVSS v3.1
5.9
Medium
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Liferay Portal versions 7.0.0 through 7.4.3.4
Liferay DXP 7.0 fix pack 102 and earlier
Liferay DXP 7.1 before fix pack 27
Liferay DXP 7.2 before fix pack 17
Liferay DXP 7.3 before update 4
Liferay DXP 7.4 GA
Description
The Test LDAP Users functionality includes the LDAP credential in the page URL when paginating through the list of users. This allows man-in-the-middle attackers or attackers with access to the request logs to see the LDAP credential.
Recommendations
For Liferay Portal versions 7.0.0 through 7.4.3.4, update to a version later than 7.4.3.4 to resolve the issue.
For Liferay DXP 7.0, apply fix pack 103 or later.
For Liferay DXP 7.1, apply fix pack 27 or later.
For Liferay DXP 7.2, apply fix pack 17 or later.
For Liferay DXP 7.3, apply update 4 or later.
For Liferay DXP 7.4, update to a version later than 7.4 GA.
As a temporary workaround, consider restricting access to the Test LDAP Users functionality until a patch is available.
Fix
Information Disclosure
Insufficiently Protected Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Liferay Dxp
Liferay Portal