|Requires Admin Access:||Yes|
|Fix Version:||22.08+, LTS 21.06.12+, LTS 22.03.4+|
|Credit:||Fortinet / Thanh Nguyen Nguyen|
dotCMS TempFileAPI allows a user to create a temporary files based on a passed in url - though dotCMS attempts to block any access to urls that contain local ips or private subnets. In resolving the remote url, the TempFileAPI follows any 302 redirects that the remote url returns. An attacker can set up a url that returns a 302 redirect to a local resource, for example, https://elasticsearch:9200, which dotCMS will follow and attempt to retrieve. Because dotCMS does not re-validate the redirect url, the TempFileAPI can be used to return data from local/private ips that should not be accessible remotely.
This vulnerability was introduced in dotCMS version 5.2.0. Users of versions before that are not affected by this vulnerability report.