Issue: SI-54 Published: Jan 9, 2020 Title: Incorrect access control can lead to information disclosure and remote execution Severity: Critical Requires Admin: Yes Fix Versions: 5.2.4 Credit: Internal Security Team Description: dotCMS fails to normalize the URI string when checking if a user should have access to a specific directory. If a dotCMS installation stores its assets under the tomcat's webapps/ROOT/assets directory, then the files and data stored under this directory can be accessed by crafting a URI that traverses the directory structure. Additionally, when files are uploaded into dotCMS, it creates a temporary file which lives under the .assets directory and whose location is knowable. This allows a malicious user to upload an executable file such as a JSP and use it perform remote command execution. Mitigation: If you are unable to upgrade to dotCMS 5.2.4 or higher, there are workarounds that can be applied: - Store dotCMS /assets and /dotsecure in directories outside of the webapps/ROOT directory and configure variables in dotmarketing-config.properties. - Use an OSGI plugin fix created by dotCMS to normalize any URI passed to dotCMS. - Add constraints to the web.xml to prevent unauthorized access. Example: http://localhost:8080/234aa/test/../../assets/messages/cms_language_en.properties Issue Links: CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6754 GitHub: https://github.com/dotCMS/core/issues/17796