Listen to this Post
The vulnerability CVE-2024-28822 is an SQL injection flaw within Liferay DXP’s and Portal’s social activity functionality. The issue originates in the `findByPrimaryKey` method of the `SocialActivityAchievementPersistenceImpl` class. This method constructs an SQL query using unvalidated, user-supplied input for the primary key parameter. An attacker can craft a malicious payload containing SQL meta-characters (like single quotes) that is directly concatenated into the ORDER BY clause of the underlying SQL statement. This bypasses normal parameter binding, which would treat input as data. Consequently, the attacker can inject arbitrary SQL commands, manipulating the query’s logic to read, update, or delete database contents. The exploitation requires authenticated access, but even low-privileged users can trigger the vulnerable code path, leading to full compromise of the database backend associated with the Liferay instance.
Platform: Liferay DXP
Version: < 2024.Q1.13
Vulnerability: SQL Injection
Severity: Critical
Date: 2024-03-20
Prediction: Patch released
Platform: Liferay Portal
Version: 7.4.3.129
Vulnerability: SQL Injection
Severity: Critical
Date: 2024-03-20
Prediction: Patch released
What Undercode Say:
grep -r "findByPrimaryKey.SocialActivityAchievement" .
// Example vulnerable pattern in persistence layer
public SocialActivityAchievement findByPrimaryKey(Serializable primaryKey) throws NoSuchAchievementException {
SocialActivityAchievement socialActivityAchievement = fetchByPrimaryKey(primaryKey);
if (socialActivityAchievement == null) {
// SQL concatenation with primaryKey.toString()
StringBundler sb = new StringBundler(4);
sb.append("... ORDER BY ");
sb.append(primaryKey.toString()); // Unsanitized input
// ...
}
}
How Exploit:
1. Attacker authenticates.
2. Triggers social activity fetch.
3. Injects payload into key parameter.
4. Executes arbitrary database commands.
Protection from this CVE:
Apply vendor patch.
Update to 2024.Q1.13+.
Use parameterized queries.
Input validation filtering.
Impact:
Database compromise.
Data breach potential.
Full system access.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

