Issues » Authenticated users may instantiate arbitrary Java objects

Issue: SI-55
Date: Jun 5, 2020, 6:25:00 AM
Severity: Medium
Requires Admin Access: No
Fix Version: 5.3.0
Credit: Alvaro Munoz, Github Security Lab

An authenticated user, with permissions to create and execute Velocity files, can use the Velocity context to execute arbitrary Java objects within the dotCMS code base. When combined with the creation of script files on the server file system, this could allow an authenticated user to perform remote code execution using the JavaScriptingEngineManager.


Customers who have not upgraded to dotCMS 5.3.0 may mitigate this issue by ensuring that:

  • Only authorized users have access to create and execute Velocity files, and
  • Users with permissions to create Velocity files do not have access to create files on the server file system.