CVE-2023-33945

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.3.1 through 7.4.3.17 Liferay DXP versions 7.3 before update 6 Liferay DXP versions 7.4 before update 18

Description The issue allows attackers to execute arbitrary SQL commands via the name of a database table's primary key index. This is only exploitable when chained with other attacks. To exploit this, the attacker must modify the database and wait for the application to be upgraded.

Recommendations For Liferay Portal versions 7.3.1 through 7.4.3.17, update to a version outside of this range to resolve the issue. For Liferay DXP versions 7.3 before update 6, apply update 6 or later to fix the vulnerability. For Liferay DXP versions 7.4 before update 18, apply update 18 or later to fix the vulnerability. As a temporary workaround, consider restricting access to the database upgrade process until a patch is applied.