CVE-2022-42132

MEDIUM

Liferay Portal 7.0.0-7.4.3.4 & DXP 7.0-7.4 GA - Sensitive Information Exposure via LDAP Pagination

Title source: llm

Description

The Test LDAP Users functionality in Liferay Portal 7.0.0 through 7.4.3.4, and Liferay DXP 7.0 fix pack 102 and earlier, 7.1 before fix pack 27, 7.2 before fix pack 17, 7.3 before update 4, and DXP 7.4 GA includes the LDAP credential in the page URL when paginating through the list of users, which allows man-in-the-middle attackers or attackers with access to the request logs to see the LDAP credential.

References (3)

Core 3

Core References

Vendor Advisory

http://liferay.com

Vendor Advisory

https://issues.liferay.com/browse/LPE-17438

Vendor Advisory

https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42132

Scores

CVSS v3 5.9

EPSS 0.0033

EPSS Percentile 55.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-200

Status published

Products (4)

com.liferay/com.liferay.portal.settings.authentication.ldap.web 0 - 5.0.13Maven

com.liferay.portal/release.dxp.bom 7.0.0Maven

com.liferay.portal/release.portal.bom 7.0.0 - 7.4.3.5-ga5Maven

liferay/digital_experience_platform 7.0 (47 CPE variants)

Published Nov 15, 2022

Tracked Since Feb 18, 2026