CVE-2022-42126 User permissions are not checked for DepotGroupItemSelectorProvider

Description

The Asset Libraries module in Liferay Portal 7.3.5 through 7.4.3.28 does not properly check permissions of asset libraries, which allows remote authenticated users to view asset libraries via the UI.

Severity

4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Affected Version(s)

  • Liferay Portal 7.3.5 - 7.3.7
  • Liferay Portal 7.4.0 - 7.4.3.28

Fixed Version(s)

There is no fix available for Liferay Portal 7.3. Please upgrade to Liferay Portal 7.4.

Publication date: Wed, 19 Oct 2022 06:05:00 +0000

Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.