Moderate severityNVD Advisory· Published Nov 15, 2022· Updated Apr 30, 2025

CVE-2022-42128

Description

The Hypermedia REST APIs module in Liferay Portal 7.4.1 through 7.4.3.4, and Liferay DXP 7.4 GA does not properly check permissions, which allows remote attackers to obtain a WikiNode object via the WikiNodeResource.getSiteWikiNodeByExternalReferenceCode API.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Liferay Portal and DXP fail to enforce permissions in the Hypermedia REST APIs module, allowing remote attackers to retrieve WikiNode objects.

Vulnerability

Description The Hypermedia REST APIs module in Liferay Portal 7.4.1 through 7.4.3.4 and Liferay DXP 7.4 GA does not properly validate permissions when processing requests to the WikiNodeResource.getSiteWikiNodeByExternalReferenceCode API. This flaw allows an unauthenticated remote attacker to bypass access controls and retrieve a WikiNode object without proper authorization [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted request to the affected API endpoint. No authentication or prior knowledge of the system is required, as the permission check is missing entirely. The attack is remotely exploitable over the network and does not require any special privileges or user interaction [1].

Impact

Successful exploitation enables the attacker to obtain WikiNode objects, which may contain sensitive configuration data, internal notes, or other information that could aid in further attacks. The exposure of such objects violates the principle of least privilege and could lead to escalation of access within the Liferay instance [1].

Mitigation

As of the publication date, no patch or workaround has been officially announced by Liferay. Users are advised to monitor vendor advisories and apply any security updates as soon as they become available [1].

References

NVD - CVE-2022-42128

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
com.liferay.portal:release.portal.bomMaven	>= 7.4.1, < 7.4.3.5	7.4.3.5

Affected products

Liferay/Liferay Portaldescription
osv-coords2 versions
pkg:bitnami/liferay pkg:maven/com.liferay.portal/release.portal.bom
>= 7.4.0, <= 7.4.0+ 1 more
- (no CPE)range: >= 7.4.0, <= 7.4.0
- (no CPE)range: >= 7.4.1, < 7.4.3.5

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-wgqm-qp44-cg6xghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-42128ghsaADVISORY
liferay.comghsaWEB
issues.liferay.com/browse/LPE-17595ghsaWEB
portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42128ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000