ReDoS Vulnerability in Liferay Portal and Liferay DXP
CVE-2022-42124

7.5HIGH

Key Information:

Vendor: Liferay
Status: Digital Experience Platform; Liferay Portal
Vendor: CVE Published:; 15 November 2022

What is CVE-2022-42124?

This vulnerability affects the LayoutPageTemplateEntryUpgradeProcess in Liferay Portal and Liferay DXP, allowing remote attackers to exploit the malformed 'name' field within layout prototypes. By sending a specifically crafted payload, attackers can cause excessive consumption of server resources, potentially leading to degraded performance or denial of service. Proper sanitization and input validation are essential to mitigate this risk and protect server integrity.

References

http://liferay.com

https://portal.liferay.dev/learn/security/known-vulnerabi...

https://issues.liferay.com/browse/LPE-17435

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 15, 2022
Vulnerability Reserved
Oct 3, 2022