Vulnerability Note VU#898083
dotCMS template permissions allow arbitrary code execution
Overview
The dotCMS content management system version 1.9 and possibly earlier versions, contains a vulnerability that allows users with the appropriate permissions to create a malicious template with arbitrary code.
Description
An authenticated dotCMS user with the permissions required to author and upload templates may create a malicious XSLT or Velocity template that can execute arbitrary java code. The arbitrary java code will run with the permissions of the web service account. |
Impact
An authenticated attacker with the permissions to create a template may upload a malicious XSLT or Velocity template that can run arbitrary java code. In some cases, the attacker may be able to exploit this vulnerability to obtain a shell on the web server. |
Solution
Apply an Update dotCMS version 1.9.5.1 or 2.0.1 and later address these vulnerabilities. If you are unable to upgrade please consider the following workarounds. |
Workarounds |
Vendor Information (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| dotCMS | Affected | 13 Apr 2012 | 01 May 2012 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | 8.5 | AV:N/AC:M/Au:S/C:C/I:C/A:C |
| Temporal | 6.9 | E:POC/RL:U/RC:UC |
| Environmental | 6.9 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND |
References
- http://dotcms.com/
- https://github.com/dotCMS/dotCMS/issues/261
- https://github.com/dotCMS/dotCMS/issues/281
- https://velocity.apache.org/engine/devel/apidocs/org/apache/velocity/util/introspection/SecureUberspector.html
- https://gist.github.com/2627440
Credit
Thanks to Ben Murphy for reporting this vulnerability.
This document was written by Jared Allar.
Other Information
- CVE IDs: CVE-2012-1826
- Date Public: 25 May 2012
- Date First Published: 25 May 2012
- Date Last Updated: 25 May 2012
- Document Revision: 25
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.