Andrey B. Panfilov

**Name of the Vulnerable Software and Affected Versions** OpenText Documentum Content Server versions through 7.3 **Description** The issue allows an authenticated user to gain superuser privileges due to a design gap in the Content Server. This gap enables uploading content using batches, specifically TAR archives. When Content Server unpacks these archives, it fails to verify their contents, leading to a path traversal vulnerability via symlinks. Since some files on the Content Server filesystem are security-sensitive, this vulnerability results in privilege escalation. **Recommendations** For versions through 7.3, consider restricting access to the TAR archive upload feature to minimize the risk of exploitation until a patch is available. As a temporary workaround, implement additional validation on the contents of uploaded TAR archives to prevent path traversal attacks.

**Name of the Vulnerable Software and Affected Versions** OpenText Documentum Content Server versions through 7.3 **Description** The issue allows an authenticated user to gain superuser privileges by exploiting a design gap in how Content Server stores and manages information about uploaded files in `dmr content` objects. These objects are queryable and can be modified by authenticated users, who can delete a `dmr content` object and then create a new one with the same identifier. This capability enables any authenticated user to replace the content of security-sensitive `dmr content` objects, such as those related to `dm method` objects, thereby gaining superuser privileges. **Recommendations** For OpenText Documentum Content Server versions through 7.3, consider restricting access to `dmr content` objects to prevent authenticated users from modifying security-sensitive content, and limit the ability to delete and recreate `dmr content` objects with the same identifier. As a temporary workaround, consider implementing strict access controls on `dmr content` objects related to `dm method` objects to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OpenText Documentum Content Server (formerly EMC Documentum Content Server) versions through 7.3 **Description** The issue allows authenticated users to download arbitrary content files, regardless of their repository permissions, due to a design gap in the content upload process. This process involves several steps, including calling the START PUSH RPC-command, uploading the file, calling the END PUSH V2 RPC-command to receive a DATA TICKET, and creating a dmr content object with the received DATA TICKET value. As a result, any authenticated user can create a dmr content object pointing to existing content in the Content Server filesystem. **Recommendations** For OpenText Documentum Content Server versions through 7.3, consider restricting access to the RPC-commands, specifically START PUSH and END PUSH V2, to prevent unauthorized users from uploading and linking to arbitrary content files. Additionally, restrict the ability to create dmr content objects to only those users who have the necessary permissions to access the content they are linking to. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenText Documentum Content Server versions prior to 7.3 **Description** The issue arises from improper input validation of the PUT FILE RPC-command, allowing any authenticated user to hijack an arbitrary file from the Content Server filesystem. This can lead to privilege escalation due to the security-sensitive nature of some files on the Content Server filesystem. **Recommendations** For versions prior to 7.3, update to version 7.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** OpenText Documentum Content Server (affected versions not specified) **Description** The issue is related to inadequate protection against SQL injection, allowing remote authenticated users to execute arbitrary code with super-user privileges. This can be achieved by leveraging the dm bp transition docbase method with a user-created dm procedure object. An example of exploitation involves using a backspace character in an injected string. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenText Documentum Content Server (affected versions not specified) **Description** The issue allows superuser access via `sys obj save` or save of a crafted object, followed by an unauthorized "UPDATE dm dbo.dm user s SET user privileges=16" command, also referred to as an "RPC save-commands" attack. This is due to an incomplete fix for a previous issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenText Documentum D2 versions 4.x **Description** The issue allows remote attackers to execute arbitrary commands via a crafted serialized Java object. This is related to the BeanShell and Apache Commons Collections libraries. **Recommendations** For version 4.x, update to a version that includes a fix for the issue with the BeanShell and Apache Commons Collections libraries.