CVE-2024-3164: 
dotCMS vulnerability analysis and mitigation

CVE-2024-3164 is a broken access control vulnerability discovered in dotCMS dashboard affecting the System → Maintenance Portlet. The vulnerability allows users with Site Admin role, but without CMS Admin privileges, to access sensitive administrative functions that should be restricted to system administrators only. The issue was discovered internally and disclosed on March 15, 2024 (DotCMS Security).

The vulnerability exists in the Tools and Log Files tabs under System → Maintenance Portlet, where the access control mechanism incorrectly allows users with Site Admin role to access system administration features. The vulnerability has been assigned a CVSS v3.1 base score of 4.5 (Medium) with the vector string AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N, indicating that while the vulnerability requires high privileges and user interaction, it can potentially lead to unauthorized access to sensitive information (DotCMS Security).

The vulnerability allows unauthorized access to sensitive system maintenance tools, including the ability to download database dumps and view database credentials in log files. This exposure could lead to unauthorized access to sensitive system information and potentially compromise the security of the entire system (DotCMS Security).

The issue has been fixed in multiple versions including 24.03.22, 22.03.15 LTS, 23.01.15 LTS, and 23.10.24v8 LTS. The fix ensures that users with site admin role no longer have access to the System Maintenance portlet, restricting these functions to system administrators only (DotCMS Security).