Issue: |
|
---|---|
Date: |
|
Severity: | Critical |
Requires Admin Access: | No |
Fix Version: | 5.2.4 |
Credit: | Internal Security Team |
Description: |
dotCMS fails to normalize the URI string when checking if a user should have access to a specific directory. If a dotCMS installation stores its assets under the tomcat's webapps/ROOT/assets directory, then the files and data stored under this directory can be accessed by crafting a uri that traverses the directory structure, like so: Additionally, when files are uploaded into dotCMS, it creates a temporary file which lives under the ./assets directory and whose location is knowable. This allows a malicious user to upload an executable file such as a jsp and use it perform remote command execution with the permissions of the user running the dotCMS application.
|
Mitigation: |
If you are unable to upgrade to dotCMS 5.2.4 or higher, there are workarounds that can be applied:
|
References |
CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6754 |