Summary
A user with privileges to edit templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running dotCMS.
Product
dotCMS
Tested Version
5.2.7 Release
Details
Server-Side Template Injection (Velocity)
Even though dotCMS does a good job installing the Velocity SecureUberspector to sandbox the content templates, it stills exposes a number of objects through the Templating API that can be used to circumvent the sandbox and achieve remote code execution.
Deep inspection of the exposed objects’ object graph allows an attacker to get access to objects that allow them to instantiate arbitrary Java objects.
Impact
This issue may lead to Remote Code Execution.
Coordinated Disclosure Timeline
This report was subject to the GHSL coordinated disclosure policy.
- 03/23/2020: Sent report to security@dotcms.com
- 03/26/2020: Issue is acknowledged
- 05/13/2020: Issue is fixed as part of the 5.3 release
Credit
This issue was discovered and reported by GHSL team member @pwntester (Alvaro Munoz).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2020-047 in any communication regarding this issue.