CVE-2022-28981 Liferay's Hypermedia REST APIs module has a path traversal vulnerability that allows remote attackers to access files outside of the com.liferay.headless.discovery.web META-INF folder.

The module responsible for handling requests for `/Discovery?parameter=value` and `/Discovery?parameter=value` allows remote attackers to access files outside of the intended scope via the `parameter` parameter. You can verify this vulnerability by visiting the following URL in your browser: https://127.0.0.1:8080/Discovery?parameter=value - CVE-2017-11131 Liferay 6.1.0 through 6.1.1, 6.2.0 through 6.2.1, and 7.0.0 through 7.0.3; Liferay Community 6.1.0 through 6.1.1, 6.2.0 through 6.2.1, and 7.0.0 through 7.0.3; and Liferay Social 6.1.0 through 6.1.1, 6.2.0 through 6.2.1, and 7.0.0 through 7.0.3 suffer from a vulnerability where remote attackers can access files outside of the intended scope. The vulnerability exists due to the fact that the module responsible for handling requests for `/Discovery?parameter=value` and `/Discovery?parameter=value` does not sanitize the `parameter` parameter before setting its value. A remote attacker can exploited this vulnerability to access files that are outside of the intended scope. You can verify this

References:

- https://www.vulnerability-lab.org/get_content.php?id=1124

CVE-2022-28981
The module responsible for handling requests for `/Discovery?parameter=value` and `/Discovery?parameter=value` allows remote attackers to access files outside of the intended scope via the `parameter` parameter. You can verify this vulnerability by visiting the following URL in your browser: https://127.0.0.1:8080/Discovery?parameter=value - CVE-2017-11131 Liferay 6.1.0 through 6.1.1, 6.2.0 through 6.2.1, and 7.0.0 through 7.0.3; Liferay Community 6.1.0 through 6.1.1, 6.2.0 through 6.2 . 1, and 7 . 0 . 0 through 7 . 0 . 3 suffer from a vulnerability where remote attackers can access files outside of the intended scope    (http://liferaycommunity6x64-upgradeanddowngradeguide

How to Update Liferay Software?

If you would like to update Liferay software, there are two ways that you can go about doing so. The first way is by using the automatic update feature in the Liferay portal. To do this, simply sign into your Liferay portal, and click on the “Update” tab at the top of your page. You should see a button that says “Update now” with a red exclamation mark next to it. Clicking on this button will automatically update your software with no chance for input from the administrator. The second way is by downloading an installer file, which has been provided for each release on our website. There are two types of installers: one for Windows users who want to download and install manually, and another for Linux users who want to run it via a terminal command line interface (CLI).

Timeline

Published on: 09/22/2022 01:15:00 UTC
Last modified on: 09/23/2022 17:41:00 UTC

References