1. Home
  2. CVE Database
  3. CVE-2023-33945
MEDIUM · 6.4

CVE-2023-33945

SQL injection vulnerability in the upgrade process for SQL Server in Liferay Portal 7.3.1 through 7.4.3.17, and Liferay DXP 7.3 before update 6, and 7.4 before update 18 allows attackers to execute ar...

Vulnerability Description

SQL injection vulnerability in the upgrade process for SQL Server in Liferay Portal 7.3.1 through 7.4.3.17, and Liferay DXP 7.3 before update 6, and 7.4 before update 18 allows attackers to execute arbitrary SQL commands via the name of a database table's primary key index. This vulnerability is only exploitable when chained with other attacks. To exploit this vulnerability, the attacker must modify the database and wait for the application to be upgraded.

CVSS Score

6.4

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH

Affected Products

VendorProductVersions
LiferayDigital Experience Platform7.3
LiferayLiferay Portal>= 7.3.1, <= 7.3.7

Related Weaknesses (CWE)

CWE-89

References

FAQ

What is CVE-2023-33945?

CVE-2023-33945 is a vulnerability with a CVSS score of 6.4 (MEDIUM). SQL injection vulnerability in the upgrade process for SQL Server in Liferay Portal 7.3.1 through 7.4.3.17, and Liferay DXP 7.3 before update 6, and 7.4 before update 18 allows attackers to execute ar...

How severe is CVE-2023-33945?

CVE-2023-33945 has been rated MEDIUM with a CVSS base score of 6.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-33945?

Check the references section above for vendor advisories and patch information. Affected products include: Liferay Digital Experience Platform, Liferay Liferay Portal.