5.3

CVSS Score

Basic Information

CVE ID

CVE-2022-42127

GHSA ID

GHSA-5x9h-p2gx-35mg

EPSS Score

CWE

CWE-276

Published

11/15/2022

Updated

2/1/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-42127

CVE-2022-42127:
Incorrect Default Permissions in Liferay Portal

The Friendly Url module in Liferay Portal 7.4.3.5 through 7.4.3.36, and Liferay DXP 7.4 update 1 though 36 does not properly check user permissions, which allows remote attackers to obtain the history of all friendly URLs that was assigned to a page.

(GitHub Advisory)

5.3

CVSS Score

Basic Information

CVE ID

CVE-2022-42127

GHSA ID

GHSA-5x9h-p2gx-35mg

EPSS Score

CWE

CWE-276

Published

11/15/2022

Updated

2/1/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.liferay.portal:release.portal.bom	maven	>= 7.4.3.5, <= 7.4.3.36	7.4.3.48

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing permission checks in the Friendly URL module's history retrieval functionality. Analysis focused on:

Core data access methods in the service layer that would return historical URL entries
Web layer entry points that handle user requests for URL history While no patch code is available, Liferay's architecture patterns suggest these components would require permission checks (likely added via PermissionChecker.hasPermission() calls in fixed versions). The medium confidence reflects educated inference based on vulnerability patterns in Liferay's permission system and module structure.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** *ri*n*ly Url mo*ul* in Li**r*y Port*l *.*.*.* t*rou** *.*.*.**, *n* Li**r*y *XP *.* up**t* * t*ou** ** *o*s not prop*rly ****k us*r p*rmissions, w*i** *llows r*mot* *tt**k*rs to o*t*in t** *istory o* *ll *ri*n*ly URLs t**t w*s *ssi*n** to * p***.

Reasoning

T** vuln*r**ility st*ms *rom missin* p*rmission ****ks in t** *ri*n*ly URL mo*ul*'s *istory r*tri*v*l *un*tion*lity. *n*lysis *o*us** on: *. *or* **t* ****ss m*t*o*s in t** s*rvi** l*y*r t**t woul* r*turn *istori**l URL *ntri*s *. W** l*y*r *ntry poi

5.3

Basic Information

Concerned about an active attack path?

CVE-2022-42127: Incorrect Default Permissions in Liferay Portal

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-42127:
Incorrect Default Permissions in Liferay Portal

Vulnerability Intelligence
Miggo AI