Issues » Authenticated users may instantiate arbitrary Java objects

Issue: SI-55
Date: Jun 5, 2020, 6:25:00 AM
Severity: Medium
Requires Admin Access: No
Fix Version: 5.3.0
Credit: Alvaro Munoz, Github Security Lab
Description:

An authenticated user, with permissions to create and execute Velocity files, can use the Velocity context to execute arbitrary Java objects within the dotCMS code base. When combined with the creation of script files on the server file system, this could allow an authenticated user to perform remote code execution using the JavaScriptingEngineManager.

Mitigation:

Customers who have not upgraded to dotCMS 5.3.0 may mitigate this issue by ensuring that:

  • Only authorized users have access to create and execute Velocity files, and
  • Users with permissions to create Velocity files do not have access to create files on the server file system.
References

https://github.com/dotCMS/core/issues/18318

GHSL-2020-047

Highly Rated and Recommended

We're rated Excellent 4.2/5 stars on G2 - with 95+ verified reviews