DotCMS unrestricted file upload (CVE-2022-26352)
Description
DotCMS versions prior to the patched release contain an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files to the server without proper validation. This vulnerability can be exploited through directory traversal techniques in multipart file uploads, enabling attackers to bypass security controls and place malicious files in executable directories, leading to remote code execution.
Remediation
Immediately upgrade DotCMS to version 22.03 or later, which addresses this vulnerability. If immediate patching is not possible, implement the following temporary mitigations:
1. Restrict access to file upload endpoints at the network level using firewall rules or web application firewall (WAF) policies
2. Implement strict authentication requirements for all file upload functionality
3. Monitor server logs for suspicious file upload activity, particularly uploads to unusual directories or with executable extensions (.jsp, .jspx)
4. Review existing uploaded files for unauthorized or suspicious content
After upgrading, verify that file upload validation is functioning correctly and conduct a security assessment to ensure no malicious files were uploaded prior to remediation.