CVE-2022-42120 : A SQL injection vulnerability in the Fragment module in Liferay Portal 7.3.3 thr

A SQL injection vulnerability in the Fragment module in Liferay Portal 7.3.3 through 7.4.3.16, and Liferay DXP 7.3 before update 4, and 7.4 before update 17 allows attackers to execute arbitrary SQL commands via a PortletPreferences' `namespace` attribute.

Published 2022-11-15 01:15:13

Updated 2022-11-17 14:50:42

Source MITRE

View at NVD, CVE.org

Vulnerability category: Sql Injection

Products affected by CVE-2022-42120

Liferay » Liferay Portal
Versions from including (>=) 7.3.3 and up to, including, (<=) 7.4.3.16
cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*
Matching versions
Liferay » DXP » Version: 7.3
cpe:2.3:a:liferay:dxp:7.3:-:*:*:*:*:*:*
Matching versions
Liferay » DXP » Version: 7.4
cpe:2.3:a:liferay:dxp:7.4:-:*:*:*:*:*:*
Matching versions

Threat overview for CVE-2022-42120

Top countries where our scanners detected CVE-2022-42120

Top open port discovered on systems with this issue 80

IPs affected by CVE-2022-42120 76

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2022-42120!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2022-42120

EPSS FAQ

0.23%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 44 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-42120

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2022-42120

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2022-42120

http://liferay.com

Digital Experience Software Tailored to Your Needs | Liferay
Vendor Advisory

CVEs referencing this url
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42120

CVE-2022-42120 SQL injection vulnerability during fragment upgrade
Vendor Advisory
https://issues.liferay.com/browse/LPE-17513

[LPE-17513] LSV-1034: SQL injection vulnerability during fragment upgrade - Liferay Issues
Issue Tracking;Vendor Advisory