{"id":"CVE-2023-33945","details":"SQL injection vulnerability in the upgrade process for SQL Server in Liferay Portal 7.3.1 through 7.4.3.17, and Liferay DXP 7.3 before update 6, and 7.4 before update 18 allows attackers to execute arbitrary SQL commands via the name of a database table's primary key index. This vulnerability is only exploitable when chained with other attacks. To exploit this vulnerability, the attacker must modify the database and wait for the application to be upgraded.","aliases":["BIT-liferay-2023-33945","GHSA-g7vw-43xg-8m4h"],"modified":"2026-04-11T12:45:18.025054Z","published":"2023-05-24T16:15:09.760Z","database_specific":{"unresolved_ranges":[{"cpe":"cpe:2.3:a:liferay:digital_experience_platform:7.4:update10:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"7.4-update10"}]},{"cpe":"cpe:2.3:a:liferay:digital_experience_platform:7.4:update11:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"7.4-update11"}]},{"cpe":"cpe:2.3:a:liferay:digital_experience_platform:7.4:update12:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"7.4-update12"}]},{"cpe":"cpe:2.3:a:liferay:digital_experience_platform:7.4:update13:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"7.4-update13"}]},{"cpe":"cpe:2.3:a:liferay:digital_experience_platform:7.4:update14:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"7.4-update14"}]},{"cpe":"cpe:2.3:a:liferay:digital_experience_platform:7.4:update15:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"7.4-update15"}]},{"cpe":"cpe:2.3:a:liferay:digital_experience_platform:7.4:update16:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"7.4-update16"}]},{"cpe":"cpe:2.3:a:liferay:digital_experience_platform:7.4:update17:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"7.4-update17"}]},{"cpe":"cpe:2.3:a:liferay:digital_experience_platform:7.4:update3:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"7.4-update3"}]},{"cpe":"cpe:2.3:a:liferay:digital_experience_platform:7.4:update4:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"7.4-update4"}]},{"cpe":"cpe:2.3:a:liferay:digital_experience_platform:7.4:update5:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"7.4-update5"}]},{"cpe":"cpe:2.3:a:liferay:digital_experience_platform:7.4:update6:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"7.4-update6"}]},{"cpe":"cpe:2.3:a:liferay:digital_experience_platform:7.4:update7:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"7.4-update7"}]},{"cpe":"cpe:2.3:a:liferay:digital_experience_platform:7.4:update8:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"7.4-update8"}]},{"cpe":"cpe:2.3:a:liferay:digital_experience_platform:7.4:update9:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"7.4-update9"}]}]},"references":[{"type":"ADVISORY","url":"https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33945"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/liferay/liferay-portal","events":[{"introduced":"0"},{"last_affected":"4ffdd7225ef4a5fd922703263a3006a741a4d8d0"},{"last_affected":"0515646c8f638f202d107469cc147172fc7685de"},{"last_affected":"77b773677e0fa17b1a869414ad66220245ba96a8"},{"last_affected":"6d28f4266948e7b0eeb14c3e8d16b3d81e02e8bb"},{"last_affected":"f193301b2848899b008d51513af62a3b3a9b7888"},{"last_affected":"548f3899675d89749f92b7623d25e27d0c4691c7"},{"last_affected":"75354f3482d7c5edb70f4cd72ed8664ce8079842"},{"introduced":"4ffdd7225ef4a5fd922703263a3006a741a4d8d0"},{"last_affected":"29b73b9b896c7d44fb5d1800a402698c303d1cf6"},{"introduced":"ec84d86679146b84af526f96471a730c340dda78"},{"last_affected":"f147f938cdc74b0c0821cdb151fce8c378e0fdf5"}],"database_specific":{"cpe":["cpe:2.3:a:liferay:digital_experience_platform:7.3:update1:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.3:update2:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.3:update3:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.3:update4:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.3:update5:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update1:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update2:*:*:*:*:*:*","cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*"],"source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"last_affected":"7.3-update1"},{"last_affected":"7.3-update2"},{"last_affected":"7.3-update3"},{"last_affected":"7.3-update4"},{"last_affected":"7.3-update5"},{"last_affected":"7.4-update1"},{"last_affected":"7.4-update2"},{"introduced":"7.3.1"},{"last_affected":"7.3.7"},{"introduced":"7.4.0"},{"last_affected":"7.4.3.17"}]}}],"versions":["7.3.1-ga2","7.3.2-ga3","7.3.3-ga4","7.3.4-ga5","7.3.5-ga6","7.3.6-ga7","7.3.7-ga8","7.4.0-ga1","7.4.1-ga2","7.4.2-ga3","7.4.3.17-ga17","7.4.3.4-ga4","7.4.3.5-ga5","7.4.3.6-ga6","7.4.3.7-ga7","test-fix-pack-base-7310"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-33945.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}