Back CVE-2022-42132 LDAP credentials exposed in URL


The Test LDAP Users functionality in Liferay Portal 7.0.0 through includes the LDAP credential in the page URL when paginating through the list of users, which allows man-in-the-middle attackers or attackers with access to the request logs to see the LDAP credential.


8.0 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N)

Affected Version(s)

  • Liferay Portal 7.0.0 - 7.0.6
  • Liferay Portal 7.1.0 - 7.1.3
  • Liferay Portal 7.2.0 - 7.2.1
  • Liferay Portal 7.3.0 - 7.3.7
  • Liferay Portal 7.4.0 -

Fixed Version(s)

There is no fix available for Liferay Portal 7.0, 7.1, 7.2 and 7.3. Please upgrade to Liferay Portal


Deployments of Liferay Portal not using HTTPS should assume their LDAP credentials has been leaked and should change the LDAP password right away. All deployments of Liferay Portal using LDAP should review the request logs and check if the LDAP password appears in the logs.

Publication date: Wed, 19 Oct 2022 07:35:00 +0000

The security advisories on this page is for Liferay's open source projects (e.g., Liferay Portal). Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are available in Help Center.