CVE-2022-35740: 
dotCMS vulnerability analysis and mitigation

dotCMS before version 22.06 was found to contain a security vulnerability (CVE-2022-35740) that allows remote attackers to bypass intended access control and obtain sensitive information. The vulnerability affects multiple versions including those before 5.3.8.12, 21.06.9, and 22.03.2 for LTS users. The issue was discovered by Fortinet and reported in June 2022 (Fortinet Blog, DotCMS Advisory).

The vulnerability stems from the way dotCMS handles matrix parameters in URLs. Matrix parameters are URI parameters separated by semicolons, which are supported by Java application frameworks including Spring and Tomcat. Through precise placement of semicolons in a URI, attackers can bypass dotCMS's path-based XSS prevention filters and access restricted resources. For example, placing a semicolon immediately before a forward slash character that separates filesystem path elements can reveal file content normally restricted to authenticated users (NVD, DotCMS Advisory).

The vulnerability allows attackers to bypass access controls and obtain sensitive information that should only be accessible to authenticated users. Additionally, this vulnerability can be chained with other exploit code to achieve Cross-Site Scripting (XSS) attacks against dotCMS (NVD, DotCMS Advisory).

The vulnerability has been fixed in dotCMS version 22.06 and later versions. For LTS users, fixes are available in versions 5.3.8.12, 21.06.9, and 22.03.2. Alternative mitigations include creating a WAF rule to disallow semicolons in the URI portion of request URLs, or installing a security interceptor plugin for dotCMS 5.1.6+ available from the official patches repository (DotCMS Advisory, GitHub Patch).