CVE-2020-6754: 
dotCMS vulnerability analysis and mitigation

CVE-2020-6754 affects dotCMS versions before 5.2.4, discovered on January 9, 2020. The vulnerability involves a directory traversal issue leading to incorrect access control. The flaw allows attackers to read or execute files under $TOMCAT_HOME/webapps/ROOT/assets directory, which should be a protected location (Vendor Advisory).

The vulnerability stems from dotCMS's failure to normalize the URI string when checking if a user should have access to a specific directory. An attacker can craft URIs that traverse the directory structure to access protected files. Additionally, when files are uploaded into dotCMS, it creates temporary files under the ./assets directory with predictable locations. The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows unauthorized access to protected files under the assets directory and enables attackers to upload temporary files (including .jsp files) into /webapps/ROOT/assets/tmp_upload. This can lead to remote command execution with the permissions of the user running the dotCMS application (Vendor Advisory).

Several mitigation options are available: 1) Upgrade to dotCMS 5.2.4 or higher, 2) Store the dotCMS /assets and /dotsecure folders outside of the webapps/ROOT directory by configuring ASSET_REAL_PATH and DYNAMIC_CONTENT_PATH in dotmarketing-config.properties, 3) Install an OSGI plugin that normalizes URI paths, available at the dotCMS GitHub repository, 4) Add constraints to web.xml to prevent unauthorized access to ./assets and ./dotsecure directories (Vendor Advisory).