Headline
CVE-2022-37033: TempFileAPI can bypass access restrictions to access local/private network resources
In dotCMS 5.x-22.06, TempFileAPI allows a user to create a temporary file based on a passed in URL, while attempting to block any SSRF access to local IP addresses or private subnets. In resolving this URL, the TempFileAPI follows any 302 redirects that the remote URL returns. Because there is no re-validation of the redirect URL, the TempFileAPI can be used to return data from those local/private hosts that should not be accessible remotely.
Issues » TempFileAPI can bypass access restrictions to access local/private network resources
Issue:
SI-64
Date:
Aug 25, 2022, 9:30:00 AM
Severity:
Moderate
Requires Admin Access:
Yes
Fix Version:
22.08+, LTS 21.06.12+, LTS 22.03.4+
Credit:
Fortinet / Thanh Nguyen Nguyen
Description:
dotCMS TempFileAPI allows a user to create a temporary files based on a passed in url - though dotCMS attempts to block any access to urls that contain local ips or private subnets. In resolving the remote url, the TempFileAPI follows any 302 redirects that the remote url returns. An attacker can set up a url that returns a 302 redirect to a local resource, for example, https://elasticsearch:9200, which dotCMS will follow and attempt to retrieve. Because dotCMS does not re-validate the redirect url, the TempFileAPI can be used to return data from local/private ips that should not be accessible remotely.
This vulnerability was introduced in dotCMS version 5.2.0. Users of versions before that are not affected by this vulnerability report.
Mitigation:
- Upgrade to one of the versions of dotCMS listed above:
- 22.08
- LTS 21.06.12
- LTS 22.03.4
- Use a WAF to prevent POSTs to the /api/v1/temp/byUrl endpoint
References
- CVE-2022-37033