Report of a Critical RCE Problem in the dotCMS Content Management Software

dotCMS Content Management Software News

A pre-authenticated remote code execution vulnerability has been disclosed in dotCMS, an open-source content management system written in Java and “used by over 10,000 clients in over 70 countries around the globe, from Fortune 500 brands and mid-sized businesses. “

The critical flaw, tracked as CVE-2022-26352, stems from a directory traversal attack when performing file uploads, enabling an adversary to execute arbitrary commands on the underlying system.

“An attacker can upload arbitrary files to the system,” Shubham Shah of Assetnote said in a report. “By uploading a JSP file to the tomcat’s root directory, it is possible to achieve code execution, leading to command execution. “

In other words, you can use the arbitrary upload flaw to create new files within the system. This web shell can then be used for persistent remote access.

dotCMS Content Management Software

Although the exploit made it possible to write to arbitrary JavaScript files being served by the application, the researchers said the nature of the bug was such that it could be weaponized to gain command execution.

AssetNote said it discovered and reported the flaw on February 21, 2022, following which patches have been released in versions 22. 03, 5.3.8. 10, and 21.06.7.

“When files are uploaded into dotCMS via the content API, but before they become content, dotCMS writes the file down in a temp directory,” the company said. DotCMS doesn’t sanitize filenames passed through multipart request headers and does not clean temp files. “

“In the case of this exploit, an attacker can upload a special .jsp file to the webapp/ROOT directory of dotCMS which can allow for remote code execution,” it noted.

David
Rate author
Hackarizona