CVE-2022-42124 ReDoS vulnerability in upgrade of layout prototype name

Description

ReDoS vulnerability in LayoutPageTemplateEntryUpgradeProcess in Liferay Portal 7.3.2 through 7.4.3.4 allows remote attackers to consume an excessive amount of server resources via a crafted payload injected into the 'name' field of a layout prototype.

Severity

2.6 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L)

Affected Version(s)

  • Liferay Portal 7.3.2 - 7.3.7
  • Liferay Portal 7.4.0 - 7.4.3.4

Fixed Version(s)

There is no fix available for Liferay Portal 7.3. Please upgrade to Liferay Portal 7.4.

Publication date: Wed, 19 Oct 2022 04:03:00 +0000

Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.