CVE-2022-37034: 
dotCMS vulnerability analysis and mitigation

A vulnerability was discovered in dotCMS 5.x-22.06 (introduced in version 5.2.0) related to the TempResource functionality. The vulnerability, identified as CVE-2022-37034, was discovered by Fortinet's FortiGuard Labs researcher Thanh Nguyen Nguyen and disclosed in August 2022. The issue allows attackers to make multiple calls to the TempFileResource, each requesting the dotCMS server to download large files (DotCMS Security, Fortinet Blog).

The vulnerability exists in the TempFileAPI when it attempts to access and download contents from remote URLs. The issue specifically affects the /api/v1/temp/byUrl endpoint. When exploited, the vulnerability can lead to memory exhaustion through multiple simultaneous requests for large file downloads (Fortinet Blog).

When successfully exploited, this vulnerability results in the exhaustion of Tomcat request-thread pool, ultimately leading to a denial of service condition where the server becomes unable to process any other requests (DotCMS Security).

Several mitigation options are available: 1) Upgrade to patched versions including 22.10+, LTS 21.06.12+, or LTS 22.03.4+, 2) Set TEMPRESOURCEALLOW_ANONYMOUS=false, 3) Implement a Web Application Firewall (WAF) to prevent POST requests to the /api/v1/temp/byUrl endpoint (DotCMS Security).