CVE-2022-26352

Name of the Vulnerable Software and Affected Versions dotCMS versions 3.0 through 22.02

Description An issue was discovered in the ContentResource API, allowing attackers to craft a multipart form request to post a file whose filename is not initially sanitized. This allows directory traversal, in which the file is saved outside of the intended storage location. If anonymous content creation is enabled, this allows an unauthenticated attacker to upload an executable file, such as a .jsp file, that can lead to remote code execution. The vulnerability is related to incorrect limitation of the directory path name with limited access. Exploitation of the vulnerability may allow a remote attacker to execute arbitrary code using specially crafted POST file requests. The estimated number of potentially affected devices worldwide is not specified, but it is reported that the dotCMS content management system is used by more than 10,000 customers in 70 countries. There have been reports of real-world incidents where this issue was exploited, including attacks by North Korean threat actors using H0lyGh0st ransomware.

Recommendations For dotCMS versions 3.0 through 22.02, consider disabling the ContentResource API or restricting access to it until a patch is available. As a temporary workaround, restrict the ability to upload files with executable extensions, such as .jsp files. Additionally, disable anonymous content creation to prevent unauthenticated attackers from uploading malicious files. At the moment, there is no information about a newer version that contains a fix for this vulnerability.