The Test LDAP Users functionality in Liferay Portal 7.0.0 through 7.4.3.4, and Liferay DXP 7.0 fix pack 102 and earlier, 7.1 before fix pack 27, 7.2 before fix pack 17, 7.3 before update 4, and DXP 7.4 GA includes the LDAP credential in the page URL when paginating through the list of users, which allows man-in-the-middle attackers or attackers with access to the request logs to see the LDAP credential.
References
Link | Resource |
---|---|
http://liferay.com | Vendor Advisory |
https://issues.liferay.com/browse/LPE-17438 | Vendor Advisory |
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42132 | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
08 Aug 2023, 14:22
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-200 |
Information
Published : 2022-11-15 02:15
Updated : 2024-02-28 19:29
NVD link : CVE-2022-42132
Mitre link : CVE-2022-42132
CVE.ORG link : CVE-2022-42132
JSON object : View
Products Affected
liferay
- liferay_portal
- digital_experience_platform
CWE
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor