CVE-2020-6754 - OpenCVE

dotCMS before 5.2.4 is vulnerable to directory traversal, leading to incorrect access control. It allows an attacker to read or execute files under $TOMCAT_HOME/webapps/ROOT/assets (which should be a protected directory). Additionally, attackers can upload temporary files (e.g., .jsp files) into /webapps/ROOT/assets/tmp_upload, which can lead to remote command execution (with the permissions of the user running the dotCMS application).

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Dotcms	Dotcms

Configuration 1 [-]

cpe:2.3:a:dotcms:dotcms:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://dotcms.com/security/SI-54
https://github.com/dotCMS/core/issues/17796

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2020-02-05T16:08:28

Updated: 2024-08-04T09:11:04.663Z

Reserved: 2020-01-09T00:00:00

Link: CVE-2020-6754

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-02-05T17:15:10.537

Modified: 2020-02-07T19:33:52.667

Link: CVE-2020-6754

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2020-01-09T00:00:00", "descriptions": [{"lang": "en", "value": "dotCMS before 5.2.4 is vulnerable to directory traversal, leading to incorrect access control. It allows an attacker to read or execute files under $TOMCAT_HOME/webapps/ROOT/assets (which should be a protected directory). Additionally, attackers can upload temporary files (e.g., .jsp files) into /webapps/ROOT/assets/tmp_upload, which can lead to remote command execution (with the permissions of the user running the dotCMS application)."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-02-05T16:08:28", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://dotcms.com/security/SI-54"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dotCMS/core/issues/17796"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-6754", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "dotCMS before 5.2.4 is vulnerable to directory traversal, leading to incorrect access control. It allows an attacker to read or execute files under $TOMCAT_HOME/webapps/ROOT/assets (which should be a protected directory). Additionally, attackers can upload temporary files (e.g., .jsp files) into /webapps/ROOT/assets/tmp_upload, which can lead to remote command execution (with the permissions of the user running the dotCMS application)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://dotcms.com/security/SI-54", "refsource": "CONFIRM", "url": "https://dotcms.com/security/SI-54"}, {"name": "https://github.com/dotCMS/core/issues/17796", "refsource": "CONFIRM", "url": "https://github.com/dotCMS/core/issues/17796"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T09:11:04.663Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://dotcms.com/security/SI-54"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/dotCMS/core/issues/17796"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-6754", "datePublished": "2020-02-05T16:08:28", "dateReserved": "2020-01-09T00:00:00", "dateUpdated": "2024-08-04T09:11:04.663Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dotcms:dotcms:*:*:*:*:*:*:*:*", "matchCriteriaId": "2D050CDF-DD0B-4386-8312-85C43B43536B", "versionEndExcluding": "5.2.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "dotCMS before 5.2.4 is vulnerable to directory traversal, leading to incorrect access control. It allows an attacker to read or execute files under $TOMCAT_HOME/webapps/ROOT/assets (which should be a protected directory). Additionally, attackers can upload temporary files (e.g., .jsp files) into /webapps/ROOT/assets/tmp_upload, which can lead to remote command execution (with the permissions of the user running the dotCMS application)."}, {"lang": "es", "value": "dotCMS versiones anteriores a 5.2.4, es vulnerable a salto de directorio, lo que conlleva a un control de acceso incorrecto. Permite a un atacante leer o ejecutar archivos bajo $TOMCAT_HOME/webapps/ROOT/assets (que deber\u00eda ser un directorio protegido). Adem\u00e1s, los atacantes pueden cargar archivos temporales (por ejemplo, archivos .jsp) en /webapps/ROOT/assets/tmp_upload, lo que puede conllevar a una ejecuci\u00f3n de comandos remota (con los permisos del usuario que ejecuta la aplicaci\u00f3n dotCMS)."}], "id": "CVE-2020-6754", "lastModified": "2020-02-07T19:33:52.667", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-02-05T17:15:10.537", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://dotcms.com/security/SI-54"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/dotCMS/core/issues/17796"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-434"}], "source": "nvd@nist.gov", "type": "Primary"}]}