CVE-2022-26352: 
dotCMS vulnerability analysis and mitigation

A critical vulnerability (CVE-2022-26352) was discovered in the ContentResource API of dotCMS versions 3.0 through 22.02. The vulnerability allows attackers to craft a multipart form request to upload files with unsanitized filenames, enabling directory traversal attacks. When anonymous content creation is enabled (which is the default configuration), unauthenticated attackers can upload executable files like .jsp files outside the intended storage location, potentially leading to remote code execution (NVD, Assetnote).

The vulnerability exists in the ContentResource API's file upload functionality where the filename parameter in multipart form requests is not properly sanitized. The API endpoint /api/content/ accepts POST and PUT requests with multipart/form-data content type. The vulnerability is triggered when a specially crafted filename containing directory traversal sequences (../) is submitted, allowing files to be written outside the intended directory. The CVSS v3.1 base score is 9.8 CRITICAL (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating the severity of the vulnerability (NVD).

The vulnerability allows attackers to upload arbitrary files to any location on the system accessible by the application service account. By uploading a JSP file to the Tomcat's root directory, attackers can achieve remote code execution and execute arbitrary commands on the underlying system. This can lead to complete system compromise in default configurations (Assetnote).

Organizations should immediately update to dotCMS versions 22.03, 5.3.8.10, or 21.06.7 or later which contain patches for this vulnerability. If immediate patching is not possible, organizations should disable anonymous content creation by setting CONTENTAPISALLOW_ANONYMOUS to false (Assetnote).