External risk intelligence

dotCMS File Upload Vulnerability Allows Code Execution.

CVE advisoryKnown Exploit

CVE-2022-26352

A vulnerability in dotCMS allows unauthenticated attackers to upload executable files, leading to remote code execution. This impacts specific dotCMS versions and introduces significant business risk by potentially compromising affected systems.

4Halo Surface Signal

Path Traversal

Dotcms

3.0 to 22.02

External exposure likelihood

Halo Surface Signal score for CVE-2022-26352

dotCMS is a content management system typically deployed as a web application accessible over the internet to manage public-facing content. Because the vulnerability exists within the ContentResource API, which is a core component of this web-based platform, it is commonly exposed as an internet-facing service.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in the dotCMS ContentResource API could allow unauthenticated attackers to upload executable files. This occurs when a crafted multipart form request bypasses filename sanitization, leading to directory traversal. If anonymous content creation is enabled, this flaw can result in remote code execution.

  • Vulnerable ContentResource API
  • Unsanitized filename allows traversal
  • Remote code execution impact

Attack Path

How an attacker could exploit the issue

An attacker can exploit a vulnerability in the ContentResource API to upload an executable file. This occurs when a specially crafted multipart form request bypasses filename sanitization, allowing the file to be saved outside its intended directory. If anonymous content creation is enabled, this can lead to remote code execution.

  • Requires exposed API and anonymous content creation.
  • Attacker crafts a request with a malicious filename.
  • Results in unauthorized file upload and code execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows an unauthenticated attacker to upload malicious files, such as executable code, to the system. This could lead to a complete compromise of the affected systems, resulting in significant business risk. The ease of exploitation and potential for remote code execution necessitate prompt attention.

  • Likely attacker skill level: Low.
  • Required access or conditions: Unauthenticated access, if anonymous content creation is enabled.
  • Business risk or urgency: High; remote code execution possible.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

The identified vulnerability in the ContentResource API allows unauthenticated attackers to upload executable files, potentially leading to remote code execution if anonymous content creation is enabled. This impacts organizations using specific versions of dotCMS by introducing a significant business risk. Immediate steps should focus on identifying and mitigating the exposure of affected systems.

  • Find dotCMS assets.
  • Restrict anonymous content uploads.
  • Apply vendor fix and verify.
  • Monitor for related activity.

Frequently asked questions

What is dotCMS and what does its ContentResource API do?

dotCMS is a content management system used for building and managing websites and digital content. The ContentResource API is a component within dotCMS that handles content-related operations.

What is the weakness in CVE-2022-26352?

CVE-2022-26352 is a directory traversal vulnerability. It allows an attacker to trick the software into saving a file outside its intended directory by manipulating the filename in a crafted request.

How can an unauthenticated attacker exploit CVE-2022-26352?

An unauthenticated attacker can exploit this by sending a specially crafted multipart form request that bypasses filename sanitization. If anonymous content creation is enabled, this allows for directory traversal and the upload of executable files, leading to remote code execution.

What is the relevance of CVE-2022-26352 in the context of Halo's threat advisory?

Halo classifies CVE-2022-26352 as 'Likely' to be exploited due to its internet-facing nature. dotCMS, as a web-based content management system, commonly exposes its ContentResource API over the internet, making it a frequent target.

What are the recommended steps to address the dotCMS vulnerability?

Organizations should identify dotCMS assets, restrict anonymous content uploads, apply vendor-provided fixes, and verify the mitigation. Monitoring for related malicious activity is also advised.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified