Issues » TempFileAPI can bypass access restrictions to access local/private network resources

Issue: SI-64
Date: Aug 25, 2022, 9:30:00 AM
Severity: Medium
Requires Admin Access: Yes
Fix Version: 22.08+, LTS 21.06.12+, LTS 22.03.4+
Credit: Fortinet / Thanh Nguyen Nguyen
Description:

dotCMS TempFileAPI allows a user to create a temporary files based on a passed in url - though dotCMS attempts to block any access to urls that contain local ips or private subnets. In resolving the remote url, the TempFileAPI follows any 302 redirects that the remote url returns.  An attacker can set up a url that returns a 302 redirect to a local resource, for example, https://elasticsearch:9200, which dotCMS will follow and attempt to retrieve.  Because dotCMS does not re-validate the redirect url, the TempFileAPI can be used to return data from local/private ips that should not be accessible remotely.

This vulnerability was introduced in dotCMS version 5.2.0.  Users of versions before that are not affected by this vulnerability report.

Mitigation:
  • Upgrade to one of the versions of dotCMS listed above:
    • 22.08
    • LTS 21.06.12
    • LTS 22.03.4
  • Use a WAF to prevent POSTs to the /api/v1/temp/byUrl endpoint
References
  • CVE-2022-37033