Issues » Bundle path traversal

Issue: SI-41
Date: Mar 9, 2017, 2:30:00 AM
Severity: Medium
Requires Admin Access: Yes
Fix Version: 3.7.2
Credit: SafeDog Penetration and Defense Lab - Yong Cai

With a user that is authenticated to the backend, intentionally customized bundles can be uploaded that will write files to arbitrary locations on the filesystem.


Should always be running dotCMS as a user that only has access to the parts of the filesystem necessary to run dotCMS.  These limited permissions will keep this vulnerability from being used to write files outside of the dotCMS / tomcat directory structure.

Access to vulnerability requires:

  • User must be authenticated
  • User must have access to publishing queue portlet

The soon to be released 3.7.2 version of dotCMSA fix will be forthcoming that will ensure that files from bundles can only be written to the intended location within dotCMS.


CERT issue CVE-2017-3188