Reported critical RCE bug in dotCMS content management software
A pre-authenticated remote code execution vulnerability has been disclosed in dotCMS, an open-source content management system written in Java and “used by more than 10,000 customers in more than 70 countries around the world, brands Fortune 500 and Midsize Companies”.
The critical flaw, tracked as CVE-2022-26352stems from a directory traversal attack when performing file downloads, allowing an adversary to execute arbitrary commands on the underlying system.
“An attacker can upload arbitrary files to the system,” Assetnote’s Shubham Shah said in a report. “By uploading a JSP file to the root directory of Tomcat, it is possible to achieve code execution, leading to the execution of commands.”
In other words, the arbitrary file upload flaw can be exploited to replace already existing files in the system with a web shell, which can then be used to gain persistent remote access.
AssetNote said it discovered and reported the flaw on February 21, 2022, after which patches were released in versions 22.03, 126.96.36.199, and 21.06.7.
“When files are uploaded to dotCMS through the Content API, but before they become content, dotCMS writes the file to a temporary directory,” the company said. “In the case of this vulnerability, dotCMS does not sanitize the filename passed through the multipart request header and therefore does not sanitize the temporary filename.”
“In the case of this exploit, an attacker can upload a special .jsp file to the dotCMS webapp/ROOT directory that may allow remote code execution,” he noted.