CVE-2022-42128 is a medium severity vulnerability affecting the Hypermedia REST APIs module in Liferay Portal versions 7.4.1 through 7.4.3.4, as well as Liferay DXP 7.4 GA. The vulnerability arises due to improper permission checks within the WikiNodeResource.getSiteWikiNodeByExternalReferenceCode API. This flaw allows remote attackers to retrieve WikiNode objects without proper authorization. Specifically, the API does not enforce adequate access control, enabling unauthenticated attackers to query and obtain information about WikiNodes associated with a site by using an external reference code. The vulnerability is classified under CWE-276 (Incorrect Default Permissions), indicating a failure to enforce correct permission settings. The CVSS v3.1 base score is 5.3, reflecting a medium severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and impact limited to confidentiality (C:L) without affecting integrity or availability. No known exploits are currently reported in the wild, and no official patches or vendor advisories are linked in the provided data. The vulnerability could potentially expose sensitive WikiNode metadata or configuration details, which might be leveraged in further targeted attacks or information gathering phases by adversaries.

For European organizations utilizing Liferay Portal or Liferay DXP, this vulnerability could lead to unauthorized disclosure of WikiNode information, potentially exposing sensitive internal documentation or configuration data. Although the direct impact on integrity and availability is absent, the confidentiality breach could facilitate reconnaissance activities by threat actors, enabling them to map internal wiki structures or identify valuable targets for subsequent exploitation. Organizations in sectors with stringent data protection requirements, such as finance, healthcare, and government, may face compliance risks if sensitive information is inadvertently exposed. Moreover, since Liferay is widely used for intranet portals and content management within enterprises, the exposure of WikiNode data could undermine trust and operational security. However, the absence of required authentication and user interaction lowers the barrier for exploitation, increasing the risk of automated or opportunistic scanning by attackers. The medium severity rating suggests that while the vulnerability is not critical, it should be addressed promptly to prevent information leakage and reduce the attack surface.

1. Immediate mitigation involves restricting network access to the affected Liferay REST API endpoints, ideally limiting them to trusted internal networks or VPNs to reduce exposure to unauthenticated external actors. 2. Implement strict web application firewall (WAF) rules to detect and block suspicious API calls targeting the WikiNodeResource.getSiteWikiNodeByExternalReferenceCode endpoint. 3. Review and harden permission configurations within Liferay Portal, ensuring that APIs enforce proper authorization checks consistent with organizational access policies. 4. Monitor application logs for unusual or repeated access attempts to the vulnerable API, enabling early detection of exploitation attempts. 5. Engage with Liferay support or community channels to obtain official patches or updates addressing this vulnerability, and plan for timely deployment. 6. Conduct internal audits of WikiNode content to classify and protect sensitive information, minimizing the impact if data is exposed. 7. Educate development and operations teams about secure API design and the importance of permission checks to prevent similar issues in custom modules or future versions.