CVE-2022-42132 LDAP credentials exposed in URL

Description

The Test LDAP Users functionality in Liferay Portal 7.0.0 through 7.4.3.4 includes the LDAP credential in the page URL when paginating through the list of users, which allows man-in-the-middle attackers or attackers with access to the request logs to see the LDAP credential.

Severity

8.0 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N)

Affected Version(s)

  • Liferay Portal 7.0.0 - 7.0.6
  • Liferay Portal 7.1.0 - 7.1.3
  • Liferay Portal 7.2.0 - 7.2.1
  • Liferay Portal 7.3.0 - 7.3.7
  • Liferay Portal 7.4.0 - 7.4.3.4

Fixed Version(s)

There is no fix available for Liferay Portal 7.0, 7.1, 7.2 and 7.3. Please upgrade to Liferay Portal 7.4.

Notes

Deployments of Liferay Portal not using HTTPS should assume their LDAP credentials has been leaked and should change the LDAP password right away. All deployments of Liferay Portal using LDAP should review the request logs and check if the LDAP password appears in the logs.

Publication date: Wed, 19 Oct 2022 07:35:00 +0000

Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.