Miggo Logo
Miggo Vulnerability Database
CVE-2022-42131

CVE-2022-42131: Improper Certificate Validation in Liferay Portal

4.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-42131
GHSA ID
GHSA-cx84-43xc-3gm2
EPSS Score
0.30381%
CWE
CWE-295
Published
11/15/2022
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.liferay.portal:release.portal.bommaven>= 7.1.0, < 7.4.3.47.4.3.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability centers on missing SSL validation in DDM REST data providers. While exact patch details are unavailable, the advisory specifically identifies DDMRESTDataProvider as the vulnerable component. Typical Java REST client patterns would involve:

  1. A main execution method (getResponse) that initiates requests
  2. A helper method (_getHttpClient) configuring the HTTP client Insecure implementations often skip SSL verification in these locations. The medium confidence reflects educated inference based on vulnerability patterns and Liferay's component structure.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**rt*in Li**r*y pro*u*ts *r* *****t** *y: Missin* SSL **rti*i**t* V*li**tion in t** *yn*mi* **t* M*ppin* mo*ul*'s R*ST **t* provi**rs. T*is *****ts Li**r*y Port*l *.*.* t*rou** *.*.* *n* Li**r*y *XP *.* ***or* *ix p**k **, *.* ***or* *ix p**k **, *n*

Reasoning

T** vuln*r**ility **nt*rs on missin* SSL v*li**tion in **M R*ST **t* provi**rs. W*il* *x**t p*t** **t*ils *r* un*v*il**l*, t** **visory sp**i*i**lly i**nti*i*s **MR*ST**t*Provi**r *s t** vuln*r**l* *ompon*nt. Typi**l J*v* R*ST *li*nt p*tt*rns woul* i