The Test LDAP Users functionality in Liferay Portal 7.0.0 through 7.4.3.4, and Liferay DXP 7.0 fix pack 102 and earlier, 7.1 before fix pack 27, 7.2 before fix pack 17, 7.3 before update 4, and DXP 7.4 GA includes the LDAP credential in the page URL when paginating through the list of users, which allows man-in-the-middle attackers or attackers with access to the request logs to see the LDAP credential.
Attack Vector Network
Attack Complexity High
Privileges Required None
Scope Unchanged
Confidentiality Impact High
Integrity Impact None
Availability Impact None
User Interaction None
No CVSS v3.0
No CVSS v2
Vendors | Products |
---|---|
Liferay |
|
Configuration 1 [-]
|
References
Link | Resource |
---|---|
http://liferay.com | Vendor Advisory |
https://issues.liferay.com/browse/LPE-17438 | Vendor Advisory |
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42132 | Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2022-11-15T00:00:00
Updated: 2022-11-15T00:00:00
Reserved: 2022-10-03T00:00:00
Link: CVE-2022-42132
JSON object: View
NVD Information
Status : Analyzed
Published: 2022-11-15T02:15:12.240
Modified: 2023-08-08T14:22:24.967
Link: CVE-2022-42132
JSON object: View
Redhat Information
No data.
CWE