dotCMS CVE-2020-6754: Path Traversal Leading to Info Disclosure and RCE

Issue: SI-54 Published: Jan 9, 2020 Title: Incorrect access control can lead to information disclosure and remote execution Severity: Critical Requires Admin: Yes Fix Versions: 5.2.4 Credit: Internal Security Team Description: dotCMS fails to normalize the URI string when checking whether a user should have access to a specific directory. If a dotCMS installation stores its assets under the Tomcat's directory, then files and data stored under this directory can be accessed by crafting a URI that traverses the directory structure. Additionally, when files are uploaded into dotCMS, it creates a temporary file located under the directory, and the location of this file is predictable. This allows a malicious user to upload an executable file (such as a JSP) and use it to perform remote command execution. Mitigation: If you are unable to upgrade to dotCMS 5.2.4 or higher, consider applying the following workarounds: - Store dotCMS and in directories outside of the directory and configure the appropriate variables in . - Use an OSGI plugin developed by dotCMS to normalize any URI passed to dotCMS. - Add constraints in to prevent unauthorized access. Example: Issue Links: CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6754 GitHub: https://github.com/dotCMS/core/issues/17796

Goal Reached Thanks to every supporter — we hit 100%!

dotCMS CVE-2020-6754: Path Traversal Leading to Info Disclosure and RCE