CVE-2022-37033: 
dotCMS vulnerability analysis and mitigation

In dotCMS versions 5.x-22.06, a vulnerability was discovered in the TempFileAPI component that allows users to create temporary files based on passed URLs. The vulnerability, identified as CVE-2022-37033, was discovered by Fortinet's FortiGuard Labs in June 2022 and officially disclosed in August 2022. This security issue affects dotCMS installations from version 5.2.0 onwards (DotCMS Security, FortiGuard Labs).

The vulnerability stems from the TempFileAPI's handling of URL redirects. While the system attempts to block SSRF (Server-Side Request Forgery) access to local IP addresses or private subnets, it follows 302 redirects from remote URLs without re-validating the redirect destination. This oversight allows attackers to bypass the initial security checks, as the system doesn't perform secondary validation on redirected URLs (DotCMS Security).

The vulnerability enables attackers to access and retrieve data from local/private hosts that should not be accessible remotely. This creates a potential security breach where internal network resources, such as elasticsearch instances running on port 9200, could be exposed to unauthorized access (DotCMS Security).

DotCMS has released patches to address this vulnerability in versions 22.08+, LTS 21.06.12+, and LTS 22.03.4+. Organizations are strongly advised to upgrade to these versions. Additionally, as a workaround, administrators can implement a Web Application Firewall (WAF) to prevent POST requests to the /api/v1/temp/byUrl endpoint (DotCMS Security).