An authenticated directory traversal vulnerability in dotCMS API can lead to RCE. A zip file at the "/api/integrity/_fixconflictsfromremote" endpoint is accepted and extracted without performing path traversal check. This can be exploited by sending a specially crafted zip file which contains directory traversal characters in the file content names (/../../xyz.sh). This allows for the contents to be extracted at an arbitrary path inside the system.

This vulnerability requires Admin privileges to exploit.

• Upgrade to one of the versions of dotCMS listed above:
  • 22.12
  • LTS 21.06.12
  • LTS 22.03.4
• Use a WAF to prevent POSTs to the /api/integrity/_fixconflictsfromremote

• https://security.snyk.io/research/zip-slip-vulnerability
• https://www.dotcms.com/docs/latest/xss-prevention
• CVE-2022-45783
• The rest api endpoint method calls the method fixConflicts:
  https://github.com/dotCMS/core/blob/release-21.04/dotCMS/src/main/java/com/dotcms/rest/IntegrityResource.java#L835
• The fixConflicts method calls the unzipFile method:
  https://github.com/dotCMS/core/blob/release-21.04/dotCMS/src/main/java/com/dotcms/integritycheckers/IntegrityUtil.java#L567
• The unzipFile method unzips the file without the proper checks in place:
  https://github.com/dotCMS/core/blob/release-21.04/dotCMS/src/main/java/com/dotcms/integritycheckers/IntegrityUtil.java#L205