Information disclosure in Liferay Enterprise Portal - CVE-2022-42132

 

Information disclosure in Liferay Enterprise Portal - CVE-2022-42132

Published: April 7, 2023


Vulnerability identifier: #VU74603
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-42132
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Liferay
Affected software:
Liferay Enterprise Portal

Detailed vulnerability description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the Test LDAP Users functionality includes the LDAP credential in the page URL when paginating through the list of users. A remote attacker can obtain LDAP credentials from the URL.


How to mitigate CVE-2022-42132

Install updates from vendor's website.

Sources