CVE-2022-37033
Last modified
CVE-2022-37033 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. In dotCMS 5.x-22.06, TempFileAPI allows a user to create a temporary file based on a passed in URL, while attempting to block any SSRF access to local IP addresses or private subnets. In resolving this URL, the TempFileAPI follows any 302 redirects that the remote URL returns. EPSS estimates a 0.84% chance of exploitation in the next 30 days.
Description
In dotCMS 5.x-22.06, TempFileAPI allows a user to create a temporary file based on a passed in URL, while attempting to block any SSRF access to local IP addresses or private subnets. In resolving this URL, the TempFileAPI follows any 302 redirects that the remote URL returns. Because there is no re-validation of the redirect URL, the TempFileAPI can be used to return data from those local/private hosts that should not be accessible remotely.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Dotcms | Dotcms | < 21.06.12 |
| Dotcms | Dotcms | >= 5.2.0, < 22.08 |
| Dotcms | Dotcms | >= 22.03, < 22.03.4 |
References
- https://www.dotcms.com/security/SI-64Vendor Advisory
- https://www.dotcms.com/security/SI-64Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-37033?
How severe is CVE-2022-37033?
How do I fix CVE-2022-37033?
Are you affected by CVE-2022-37033?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST