Issues » Authenticated users may instantiate arbitrary Java objects

Issue: SI-55
Date: Jun 5, 2020 10:25:00 AM
Severity: Moderate
Requires Admin Access: Yes
Fix Version: 5.3.0
Credit: Alvaro Munoz, Github Security Lab
Description:

An authenticated user, with permissions to create and execute Velocity files, can use the Velocity context to execute arbitrary Java objects within the dotCMS code base. When combined with the creation of script files on the server file system, this could allow an authenticated user to perform remote code execution using the JavaScriptingEngineManager.

Workaround:

Customers who have not upgraded to dotCMS 5.3.0 may mitigate this issue by ensuring that:

  • Only authorized users have access to create and execute Velocity files, and
  • Users with permissions to create Velocity files do not have access to create files on the server file system.
Issues

https://github.com/dotCMS/core/issues/18318

GHSL-2020-047