Server-Side Request Forgery (SSRF) in dotcms/core

Valid

Reported on

Nov 30th 2021


Description

Hi team, I found a SSRF that allow me to access the elasticsearch API and get full response from the querys

  • As can be read in the following link dotCMS uses elastisearch, with this SSRF we can direct access the elastisearch REST API,
  • In a cloud environment, it can be possible to abuse this flaw to get a Remote Code Execution
  • An user with a few permissions is required

Proof of Concept

  • Exploitation is easy, but the required user setup is a little different, so I upload a video (private) showing how to configure your users and how to use a less privileged account to explore the SSRF

Video PoC

Impact

In my example I show how to exploit the SSRF to get access to elastisearch, but the exploitation is not limited to it, any web service that can be access via localhost can be target, this include Clould services like AWS APIs

  • If this CMS is running in a cloud environment, it can be possible to abuse this flaw to get a Remote Code Execution

Possible remediation

I recommend block any access to local IP address, here's a link to OWASP guide that fits in your case

link

Occurences

This function only validate if the URL use http(s) protocol

We are processing your report and will contact the dotcms/core team within 24 hours. 2 months ago
We have contacted a member of the dotcms/core team and are waiting to hear back 2 months ago
We have sent a follow up to the dotcms/core team. We will try again in 7 days. 2 months ago
We have sent a second follow up to the dotcms/core team. We will try again in 10 days. 2 months ago
Will Ezell validated this vulnerability a month ago
Vinicius Ribeiro Ferreira da Silva has been awarded the disclosure bounty
The fix bounty is now up for grabs
Will Ezell confirmed that a fix has been merged on ccad09 a month ago
The fix bounty has been dropped
TempFileAPI.java#L223-L239 has been validated
Vinicius
a month ago

Researcher


Hi Will, can i request a CVE for this report?