LDAP Credential Exposure in Liferay Portal and Liferay DXP
CVE-2022-42132

5.9MEDIUM

Key Information:

Vendor: Liferay
Status: Digital Experience Platform; Liferay Portal
Vendor: CVE Published:; 15 November 2022

What is CVE-2022-42132?

The Liferay Portal and Liferay DXP products have a vulnerability where the Test LDAP Users functionality exposes LDAP credentials in the URL during user pagination. This could allow a man-in-the-middle attacker or someone with access to the request logs to capture sensitive information. It is crucial for users of affected versions to review their configurations and apply necessary updates to mitigate the risk of credential exposure.

References

http://liferay.com

https://portal.liferay.dev/learn/security/known-vulnerabi...

https://issues.liferay.com/browse/LPE-17438

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 15, 2022
Vulnerability Reserved
Oct 3, 2022