CVE-2022-38512
Description
Liferay Portal and DXP Translation module lacks permission checks, allowing attackers to download web content XLIFF files via crafted URLs.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Liferay Portal and DXP Translation module lacks permission checks, allowing attackers to download web content XLIFF files via crafted URLs.
Vulnerability
The Translation module in Liferay Portal v7.4.3.12 through v7.4.3.36, and Liferay DXP 7.4 update 8 through 36, fails to enforce proper permissions before allowing a user to export web content for translation [1]. This missing authorization check enables an attacker to download a web content page's XLIFF translation file without having the necessary view permissions.
Exploitation
An attacker can exploit this vulnerability by crafting a direct URL to the translation export endpoint, bypassing the normal permission validation. The vulnerability exists because the export servlet did not verify whether the user had view access to the specific web content item before generating the XLIFF file [3][4]. No authentication is required beyond a valid session, and the attacker need only guess or enumerate the target content's ID.
Impact
Successful exploitation allows an attacker to exfiltrate the full text of a web content page in XLIFF format, which may contain sensitive information. The attacker gains unauthorized access to content that should be restricted, potentially leading to information disclosure and privacy breaches.
Mitigation
Liferay has addressed this issue in subsequent releases by adding permission checks in the export servlet. The fix ensures that the user is authenticated and has the VIEW action permission on the web content item before allowing export [3][4]. Users should upgrade to Liferay Portal versions beyond 7.4.3.36 or Liferay DXP 7.4 updates beyond 36 to remediate the vulnerability.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay:com.liferay.translation.webMaven | < 2.0.58 | 2.0.58 |
com.liferay.portal:release.dxp.bomMaven | >= 7.4.13.u8, < 7.4.13.u37 | 7.4.13.u37 |
Affected products
3- ghsa-coords2 versions
< 2.0.58+ 1 more
- (no CPE)range: < 2.0.58
- (no CPE)range: >= 7.4.13.u8, < 7.4.13.u37
Patches
248fd5698fc19LPS-158794 check view permissions for user
1 file changed · +27 −0
modules/apps/translation/translation-web/src/main/java/com/liferay/translation/web/internal/servlet/ExportTranslationServlet.java+27 −0 modified@@ -15,16 +15,22 @@ package com.liferay.translation.web.internal.servlet; import com.liferay.info.exception.NoSuchInfoItemException; +import com.liferay.info.item.InfoItemReference; import com.liferay.info.item.InfoItemServiceTracker; import com.liferay.info.item.provider.InfoItemFieldValuesProvider; import com.liferay.info.item.provider.InfoItemObjectProvider; +import com.liferay.info.item.provider.InfoItemPermissionProvider; import com.liferay.petra.string.StringBundler; import com.liferay.petra.string.StringPool; import com.liferay.portal.kernel.exception.PortalException; import com.liferay.portal.kernel.language.LanguageUtil; import com.liferay.portal.kernel.model.Layout; import com.liferay.portal.kernel.model.User; import com.liferay.portal.kernel.security.auth.PrincipalException; +import com.liferay.portal.kernel.security.permission.ActionKeys; +import com.liferay.portal.kernel.security.permission.PermissionChecker; +import com.liferay.portal.kernel.security.permission.PermissionCheckerFactory; +import com.liferay.portal.kernel.security.permission.PermissionThreadLocal; import com.liferay.portal.kernel.service.LayoutLocalService; import com.liferay.portal.kernel.servlet.ServletResponseUtil; import com.liferay.portal.kernel.util.ContentTypes; @@ -110,7 +116,25 @@ protected void doGet( className, segmentsExperienceIds, translationRequestHelper)); + InfoItemPermissionProvider infoItemPermissionProvider = + _infoItemServiceTracker.getFirstInfoItemService( + InfoItemPermissionProvider.class, className); + + PermissionChecker permissionChecker = + _permissionCheckerFactory.create(user); + + PermissionThreadLocal.setPermissionChecker(permissionChecker); + for (long classPK : classPKs) { + if ((infoItemPermissionProvider != null) && + !infoItemPermissionProvider.hasPermission( + permissionChecker, + new InfoItemReference(className, classPK), + ActionKeys.VIEW)) { + + throw new PrincipalException(); + } + _addZipEntry( zipWriter, className, classPK, exportMimeType, sourceLanguageId, targetLanguageIds, @@ -288,6 +312,9 @@ private boolean _isMultipleModels(long[] classPKs) { @Reference private LayoutLocalService _layoutLocalService; + @Reference + private PermissionCheckerFactory _permissionCheckerFactory; + @Reference private Portal _portal;
1934094578ddLPS-158794 id no user or no authenticated user, throw an exception
1 file changed · +9 −0
modules/apps/translation/translation-web/src/main/java/com/liferay/translation/web/internal/servlet/ExportTranslationServlet.java+9 −0 modified@@ -23,6 +23,8 @@ import com.liferay.portal.kernel.exception.PortalException; import com.liferay.portal.kernel.language.LanguageUtil; import com.liferay.portal.kernel.model.Layout; +import com.liferay.portal.kernel.model.User; +import com.liferay.portal.kernel.security.auth.PrincipalException; import com.liferay.portal.kernel.service.LayoutLocalService; import com.liferay.portal.kernel.servlet.ServletResponseUtil; import com.liferay.portal.kernel.util.ContentTypes; @@ -76,6 +78,13 @@ protected void doGet( throws IOException { try { + User user = _portal.getUser(httpServletRequest); + + if ((user == null) || user.isDefaultUser()) { + throw new PrincipalException.MustBeAuthenticated( + StringPool.BLANK); + } + long[] segmentsExperienceIds = ParamUtil.getLongValues( httpServletRequest, "segmentsExperienceIds");
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-h9ww-wjg4-jvvgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-38512ghsaADVISORY
- liferay.comghsax_refsource_MISCWEB
- github.com/liferay/liferay-portal/commit/1934094578ddcd2c1f3d37593b493d3991a6a20fghsaWEB
- github.com/liferay/liferay-portal/commit/48fd5698fc1935a90e9c5013c328dbc369ba353dghsaWEB
- liferay.atlassian.net/browse/LPE-17610ghsaWEB
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2022-38512ghsaWEB
- portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-38512mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.