Moderate severityNVD Advisory· Published Apr 19, 2022· Updated Aug 3, 2024
CVE-2022-26595
CVE-2022-26595
Description
Liferay Portal 7.3.7, 7.4.0, and 7.4.1, and Liferay DXP 7.2 fix pack 13, and 7.3 fix pack 2 does not properly check user permission when accessing a list of sites/groups, which allows remote authenticated users to view sites/groups via the user's site membership assignment UI.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay.portal:release.portal.bomMaven | >= 7.4.0, < 7.4.2-ga3 | 7.4.2-ga3 |
com.liferay.portal:release.dxp.bomMaven | >= 7.2.0, < 7.2.10.fp13 | 7.2.10.fp13 |
com.liferay.portal:release.dxp.bomMaven | >= 7.3.0, < 7.3.10.fp2 | 7.3.10.fp2 |
com.liferay:com.liferay.site.browser.webMaven | < 6.0.5 | 6.0.5 |
com.liferay.portal:com.liferay.portal.implMaven | < 7.7.9 | 7.7.9 |
Affected products
6- osv-coords5 versionspkg:bitnami/liferaypkg:maven/com.liferay/com.liferay.site.browser.webpkg:maven/com.liferay.portal/com.liferay.portal.implpkg:maven/com.liferay.portal/release.dxp.bompkg:maven/com.liferay.portal/release.portal.bom
>= 7.2-fix.0, <= 7.2-fix.0+ 4 more
- (no CPE)range: >= 7.2-fix.0, <= 7.2-fix.0
- (no CPE)range: < 6.0.5
- (no CPE)range: < 7.7.9
- (no CPE)range: >= 7.2.0, < 7.2.10.fp13
- (no CPE)
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-822f-jfpg-hg7hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-26595ghsaADVISORY
- liferay.commitrex_refsource_MISC
- github.com/liferay/liferay-portal/commit/5b958de42d93f1ba5879a0a20054b14ad7f145c4ghsaWEB
- liferay.atlassian.net/issues/LPE-17367ghsaWEB
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2022-26595-unauthorized-access-to-site-group-listghsaWEB
- portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-26595-unauthorized-access-to-site-group-listmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.