Server-Side Request Forgery (SSRF) in dotcms/core

Valid

Reported on

Nov 30th 2021


Description

Hi team, I found a SSRF that allow me to access the elasticsearch API and get full response from the querys

  • As can be read in the following link dotCMS uses elastisearch, with this SSRF we can direct access the elastisearch REST API,
  • In a cloud environment, it can be possible to abuse this flaw to get a Remote Code Execution
  • An user with a few permissions is required

Proof of Concept

  • Exploitation is easy, but the required user setup is a little different, so I upload a video (private) showing how to configure your users and how to use a less privileged account to explore the SSRF

Video PoC

Impact

In my example I show how to exploit the SSRF to get access to elastisearch, but the exploitation is not limited to it, any web service that can be access via localhost can be target, this include Clould services like AWS APIs

  • If this CMS is running in a cloud environment, it can be possible to abuse this flaw to get a Remote Code Execution

Possible remediation

I recommend block any access to local IP address, here's a link to OWASP guide that fits in your case

link

Occurrences

This function only validate if the URL use http(s) protocol

We are processing your report and will contact the dotcms/core team within 24 hours. a year ago
We have contacted a member of the dotcms/core team and are waiting to hear back a year ago
We have sent a follow up to the dotcms/core team. We will try again in 7 days. a year ago
We have sent a second follow up to the dotcms/core team. We will try again in 10 days. a year ago
Will Ezell validated this vulnerability a year ago
Vinicius Ribeiro Ferreira da Silva has been awarded the disclosure bounty
The fix bounty is now up for grabs
Will Ezell marked this as fixed in 21.12 with commit ccad09 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
TempFileAPI.java#L223-L239 has been validated
Vinicius
a year ago

Researcher


Hi Will, can i request a CVE for this report?

to join this conversation