Issues » Incorrect access control can lead to information disclosure and remote execution

Issue: SI-54
Date: Jan 9, 2020, 10:30:00 AM
Severity: Critical
Requires Admin Access: No
Fix Version: 5.2.4
Credit: Internal Security Team

dotCMS fails to normalize the URI string when checking if a user should have access to a specific directory.  If a dotCMS installation stores its assets under the tomcat's webapps/ROOT/assets directory, then the files and data stored under this directory can be accessed by crafting a uri that traverses the directory structure, like so:


Additionally, when files are uploaded into dotCMS, it creates a temporary file which lives under the ./assets directory and whose location is knowable.  This allows a malicious user to upload an executable file such as a jsp and use it perform remote command execution with the permissions of the user running the dotCMS application.


If you are unable to upgrade to dotCMS 5.2.4 or higher, there are workarounds that can be applied:

  1. The dotCMS /assets and /dotsecure should be stored in a folders outside of the webapps/ROOT directory.  You can configure your dotCMS to load these from external locations in the file by setting these variables:



  2. OSGI plugin fix: dotCMS has created an OSGI plugin that normalizes any URI passed to dotCMS which mitigates the issue.  This plugin can be found here: This plugin can be dynamically loaded into a 5 series dotCMS instance and will mitigate the issue.

  3. Add constraint to web.xml: Additionally, if you are unable to move your /assets directory, you can add constraints to your web.xml to prevent unauthorized access to your ./assets and ./dotsecure directories, as detailed in this issue: