CVE-2022-26352

An issue was discovered in the ContentResource API in dotCMS 3.0 through 22.02. Attackers can craft a multipart form request to post a file whose filename is not initially sanitized. This allows directory traversal, in which the file is saved outside of the intended storage location. If anonymous content creation is enabled, this allows an unauthenticated attacker to upload an executable file, such as a .jsp file, that can lead to remote code execution.

CVSS v3 9.8 CRITICAL
CVSS v2.0 6.8 MEDIUM

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://packetstormsecurity.com/files/167365/dotCMS-Shell-Upload.html	Exploit Third Party Advisory VDB Entry
https://groups.google.com/g/dotcms	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:dotcms:dotcms:*:*:*:*:*:*:*:*

History

08 Aug 2023, 14:21

Type	Values Removed	Values Added
CWE	CWE-434 CWE-22	NVD-CWE-Other

25 Jul 2022, 22:38

Type	Values Removed	Values Added
CPE		cpe:2.3:a:dotcms:dotcms::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 6.8 v3 : 9.8
CWE		CWE-434 CWE-22
References	~~(MISC) https://groups.google.com/g/dotcms -~~	(MISC) https://groups.google.com/g/dotcms - Third Party Advisory
References	~~(MISC) http://packetstormsecurity.com/files/167365/dotCMS-Shell-Upload.html -~~	(MISC) http://packetstormsecurity.com/files/167365/dotCMS-Shell-Upload.html - Exploit, Third Party Advisory, VDB Entry
First Time		Dotcms Dotcms dotcms

17 Jul 2022, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-07-17 22:15

Updated : 2023-12-10 14:35

NVD link : CVE-2022-26352

Mitre link : CVE-2022-26352

CVE.ORG link : CVE-2022-26352

JSON object : View

Products Affected

dotcms

dotcms

CWE

NVD-CWE-Other

{"id": "CVE-2022-26352", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2022-07-17T22:15:08.787", "references": [{"url": "http://packetstormsecurity.com/files/167365/dotCMS-Shell-Upload.html", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "source": "cve@mitre.org"}, {"url": "https://groups.google.com/g/dotcms", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in the ContentResource API in dotCMS 3.0 through 22.02. Attackers can craft a multipart form request to post a file whose filename is not initially sanitized. This allows directory traversal, in which the file is saved outside of the intended storage location. If anonymous content creation is enabled, this allows an unauthenticated attacker to upload an executable file, such as a .jsp file, that can lead to remote code execution."}, {"lang": "es", "value": "Se ha detectado un problema en la API ContentResource de dotCMS versiones 3.0 hasta 22.02. Los atacantes pueden dise\u00f1ar una petici\u00f3n de formulario multiparte para publicar un archivo cuyo nombre de archivo no est\u00e1 inicialmente saneado. Esto permite un salto de directorio, en el que el archivo es guardado fuera de la ubicaci\u00f3n de almacenamiento prevista. Si la creaci\u00f3n de contenido an\u00f3nimo est\u00e1 habilitada, esto permite a un atacante no autenticado subir un archivo ejecutable, como un archivo .jsp, que puede conllevar a una ejecuci\u00f3n de c\u00f3digo remota"}], "lastModified": "2023-08-08T14:21:49.707", "cisaActionDue": "2022-09-15", "cisaExploitAdd": "2022-08-25", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:dotcms:dotcms:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4E579E5C-8595-4985-9E3A-6E44DD314410", "versionEndIncluding": "22.02", "versionStartIncluding": "3.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org", "cisaRequiredAction": "Apply updates per vendor instructions.", "cisaVulnerabilityName": "dotCMS Unrestricted Upload of File Vulnerability"}