Issues » Directory Traversal with RCE

Issue: SI-67
Date: Dec 15, 2022, 11:15:00 AM
Severity: Medium
Requires Admin Access: Yes
Fix Version: 22.12+, LTS 21.06.12+, LTS 22.03.4+
Credit: Christos - Minas Mathas

An authenticated directory traversal vulnerability in dotCMS API can lead to RCEA zip file at the "/api/integrity/_fixconflictsfromremote" endpoint is accepted and extracted without performing path traversal check. This can be exploited by sending a specially crafted zip file which contains directory traversal characters in the file content names (/../../ This allows for the contents to be extracted at an arbitrary path inside the system.

This vulnerability requires Admin privileges to exploit.

  • Upgrade to one of the versions of dotCMS listed above:
    • 22.12
    • LTS 21.06.12
    • LTS 22.03.4
  • Use a WAF to prevent POSTs to the /api/integrity/_fixconflictsfromremote