4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-42129

GHSA ID

GHSA-g6x4-57hp-j4xm

EPSS Score

0.36544%

CWE

CWE-639

Published

11/15/2022

Updated

2/1/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-42129

CVE-2022-42129:
Authorization Bypass in Liferay Portal

An Insecure direct object reference (IDOR) vulnerability in the Dynamic Data Mapping module in Liferay Portal 7.3.2 through 7.4.3.4, and Liferay DXP 7.3 before update 4, and 7.4 GA allows remote authenticated users to view and access form entries via the formInstanceRecordId parameter.

(GitHub Advisory)

4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-42129

GHSA ID

GHSA-g6x4-57hp-j4xm

EPSS Score

0.36544%

CWE

CWE-639

Published

11/15/2022

Updated

2/1/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.liferay.portal:release.portal.bom	maven	>= 7.3.2, < 7.4.3.5	7.4.3.5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability centers around improper authorization checks when accessing form entries via formInstanceRecordId. Based on Liferay's architecture:

Service layer functions (DDMFormInstanceRecordServiceImpl) would handle data access logic
Controller endpoints (DDMFormInstanceRecordController) would process HTTP parameters
The CWE-639 pattern matches direct object reference without authorization checks
Dynamic Data Mapping module structure suggests these are core components handling form entries While no patch code is available, the parameter name (formInstanceRecordId) and module details indicate these functions would be involved in processing vulnerable requests. Confidence is medium due to lack of direct patch evidence but strong correlation with vulnerability characteristics.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n Ins**ur* *ir**t o*j**t r***r*n** (I*OR) vuln*r**ility in t** *yn*mi* **t* M*ppin* mo*ul* in Li**r*y Port*l *.*.* t*rou** *.*.*.*, *n* Li**r*y *XP *.* ***or* up**t* *, *n* *.* ** *llows r*mot* *ut**nti**t** us*rs to vi*w *n* ****ss *orm *ntri*s vi*

Reasoning

T** vuln*r**ility **nt*rs *roun* improp*r *ut*oriz*tion ****ks w**n ****ssin* *orm *ntri*s vi* *ormInst*n**R**or*I*. **s** on Li**r*y's *r**it**tur*: *. S*rvi** l*y*r *un*tions (**M*ormInst*n**R**or*S*rvi**Impl) woul* **n*l* **t* ****ss lo*i* *. *ont

4.3

Basic Information

Concerned about an active attack path?

CVE-2022-42129: Authorization Bypass in Liferay Portal

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-42129:
Authorization Bypass in Liferay Portal

Vulnerability Intelligence
Miggo AI