Moderate severityNVD Advisory· Published Nov 15, 2022· Updated Apr 30, 2025

CVE-2022-42126

Description

The Asset Libraries module in Liferay Portal 7.3.5 through 7.4.3.28, and Liferay DXP 7.3 before update 8, and DXP 7.4 before update 29 does not properly check permissions of asset libraries, which allows remote authenticated users to view asset libraries via the UI.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Liferay Portal and DXP fail to enforce proper permissions on asset libraries, letting authenticated users view restricted ones via the UI.

Vulnerability

Description

The Asset Libraries module in Liferay Portal versions 7.3.5 through 7.4.3.28, Liferay DXP 7.3 before update 8, and DXP 7.4 before update 29 does not properly validate permissions when displaying asset libraries. This access control flaw allows a remote authenticated user to view asset libraries they should not have access to [1].

Attack

Vector

An attacker needs only a valid user account on the affected Liferay instance. The exploitation occurs through the normal user interface, requiring no special privileges or additional technical sophistication beyond regular authenticated access [1].

Impact

A successful exploit enables an authenticated user to bypass intended permission restrictions and browse asset libraries that are supposed to be hidden from them. This can lead to unauthorized exposure of sensitive content managed within those libraries [1].

Mitigation

Liferay has addressed this issue in Portal 7.4.3.29 and DXP updates 8 (for 7.3) and 29 (for 7.4) [1]. Customers should upgrade to these patched versions or apply the appropriate security update. No workarounds have been documented.

References

NVD - CVE-2022-42126

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
com.liferay.portal:release.portal.bomMaven	>= 7.3.5, < 7.4.3.48	7.4.3.48

Affected products

Liferay/Liferay Portaldescription
osv-coords2 versions
pkg:bitnami/liferay pkg:maven/com.liferay.portal/release.portal.bom
>= 7.3.0, <= 7.3.0+ 1 more
- (no CPE)range: >= 7.3.0, <= 7.3.0
- (no CPE)range: >= 7.3.5, < 7.4.3.48

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-642h-mx8q-47p2ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-42126ghsaADVISORY
liferay.comghsaWEB
issues.liferay.com/browse/LPE-17593ghsaWEB
portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42126ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000