SQL injection vulnerability in the upgrade process for SQL Server in Liferay Portal 7.3.1 through 7.4.3.17, and Liferay DXP 7.3 before update 6, and 7.4 before update 18 allows attackers to execute arbitrary SQL commands via the name of a database table's primary key index. This vulnerability is only exploitable when chained with other attacks. To exploit this vulnerability, the attacker must modify the database and wait for the application to be upgraded.
References
Link | Resource |
---|---|
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33945 | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
02 Jun 2023, 16:16
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33945 - Vendor Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.1 |
CWE | CWE-89 | |
First Time |
Liferay digital Experience Platform
Liferay liferay Portal Liferay |
|
CPE | cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_1:*:*:*:*:*:* cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:* cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:* cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:* cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_2:*:*:*:*:*:* cpe:2.3:a:liferay:digital_experience_platform:7.4:update1:*:*:*:*:*:* |
Information
Published : 2023-05-24 16:15
Updated : 2024-02-28 20:13
NVD link : CVE-2023-33945
Mitre link : CVE-2023-33945
CVE.ORG link : CVE-2023-33945
JSON object : View
Products Affected
liferay
- liferay_portal
- digital_experience_platform
CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')