cve-2023-3042
Vulnerability from cvelistv5
Published
2023-10-17 22:52
Modified
2024-09-30 15:25
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
In dotCMS, versions mentioned, a flaw in the NormalizationFilter does not strip double slashes (//) from URLs, potentially enabling bypasses for XSS and access controls. An example affected URL is https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp , which should return a 404 response but didn't. The oversight in the default invalid URL character list can be viewed at the provided GitHub link https://github.com/dotCMS/core/blob/master/dotCMS/src/main/java/com/dotcms/filters/NormalizationFilter.java#L37 .  To mitigate, users can block URLs with double slashes at firewalls or utilize dotCMS config variables. Specifically, they can use the DOT_URI_NORMALIZATION_FORBIDDEN_STRINGS environmental variable to add // to the list of invalid strings. Additionally, the DOT_URI_NORMALIZATION_FORBIDDEN_REGEX variable offers more detailed control, for instance, to block //html.* URLs. Fix Version:23.06+, LTS 22.03.7+, LTS 23.01.4+
References
security@dotcms.comhttps://www.dotcms.com/security/SI-68Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.dotcms.com/security/SI-68Vendor Advisory
Impacted products
Vendor Product Version
dotCMS dotCMS core Version: 5.3.8
Version: 21.06
Version: 22.03
Version: 23.01
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T06:41:04.130Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.dotcms.com/security/SI-68"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-3042",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-13T15:24:50.892460Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-13T15:25:03.957Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "dotCMS core",
          "vendor": "dotCMS",
          "versions": [
            {
              "status": "affected",
              "version": "5.3.8"
            },
            {
              "status": "affected",
              "version": "21.06"
            },
            {
              "status": "affected",
              "version": "22.03"
            },
            {
              "status": "affected",
              "version": "23.01"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In dotCMS, versions mentioned, a flaw in the NormalizationFilter does not strip double slashes (//) from URLs, potentially enabling bypasses for XSS and access controls. An example affected URL is \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp\"\u003ehttps://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp\u003c/a\u003e, which should return a 404 response but didn\u0027t. \u003cbr\u003e\u003cbr\u003eThe oversight in the default invalid URL character list can be viewed at the provided \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/dotCMS/core/blob/master/dotCMS/src/main/java/com/dotcms/filters/NormalizationFilter.java#L37\"\u003eGitHub link\u003c/a\u003e.\u0026nbsp;\u003cbr\u003e\u003cbr\u003eTo mitigate, users can block URLs with double slashes at firewalls or utilize dotCMS config variables.\u003cbr\u003e\u003cbr\u003eSpecifically, they can use the DOT_URI_NORMALIZATION_FORBIDDEN_STRINGS environmental variable to add // to the list of invalid strings. \u003cbr\u003e\u003cbr\u003eAdditionally, the DOT_URI_NORMALIZATION_FORBIDDEN_REGEX variable offers more detailed control, for instance, to block //html.* URLs.\u003cbr\u003e\u003cbr\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003cth\u003eFix Version:\u003c/th\u003e\u003ctd\u003e23.06+, LTS 22.03.7+, LTS 23.01.4+\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cbr\u003e"
            }
          ],
          "value": "In dotCMS, versions mentioned, a flaw in the NormalizationFilter does not strip double slashes (//) from URLs, potentially enabling bypasses for XSS and access controls. An example affected URL is  https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp , which should return a 404 response but didn\u0027t. \n\nThe oversight in the default invalid URL character list can be viewed at the provided  GitHub link https://github.com/dotCMS/core/blob/master/dotCMS/src/main/java/com/dotcms/filters/NormalizationFilter.java#L37 .\u00a0\n\nTo mitigate, users can block URLs with double slashes at firewalls or utilize dotCMS config variables.\n\nSpecifically, they can use the DOT_URI_NORMALIZATION_FORBIDDEN_STRINGS environmental variable to add // to the list of invalid strings. \n\nAdditionally, the DOT_URI_NORMALIZATION_FORBIDDEN_REGEX variable offers more detailed control, for instance, to block //html.* URLs.\n\nFix Version:23.06+, LTS 22.03.7+, LTS 23.01.4+"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-247",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-247 XSS Using Invalid Characters"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-09-30T15:25:26.548Z",
        "orgId": "5b9d93f2-25c7-46b4-ab60-d201718c9dd8",
        "shortName": "dotCMS"
      },
      "references": [
        {
          "url": "https://www.dotcms.com/security/SI-68"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "CNA SHORTNAME: dotCMSORG UUID: 5b9d93f2-25c7-46b4-ab60-d201718c9dd8",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "5b9d93f2-25c7-46b4-ab60-d201718c9dd8",
    "assignerShortName": "dotCMS",
    "cveId": "CVE-2023-3042",
    "datePublished": "2023-10-17T22:52:05.453Z",
    "dateReserved": "2023-06-01T20:26:04.134Z",
    "dateUpdated": "2024-09-30T15:25:26.548Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-3042\",\"sourceIdentifier\":\"security@dotcms.com\",\"published\":\"2023-10-17T23:15:11.920\",\"lastModified\":\"2024-11-21T08:16:18.480\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In dotCMS, versions mentioned, a flaw in the NormalizationFilter does not strip double slashes (//) from URLs, potentially enabling bypasses for XSS and access controls. An example affected URL is  https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp , which should return a 404 response but didn\u0027t. \\n\\nThe oversight in the default invalid URL character list can be viewed at the provided  GitHub link https://github.com/dotCMS/core/blob/master/dotCMS/src/main/java/com/dotcms/filters/NormalizationFilter.java#L37 .\u00a0\\n\\nTo mitigate, users can block URLs with double slashes at firewalls or utilize dotCMS config variables.\\n\\nSpecifically, they can use the DOT_URI_NORMALIZATION_FORBIDDEN_STRINGS environmental variable to add // to the list of invalid strings. \\n\\nAdditionally, the DOT_URI_NORMALIZATION_FORBIDDEN_REGEX variable offers more detailed control, for instance, to block //html.* URLs.\\n\\nFix Version:23.06+, LTS 22.03.7+, LTS 23.01.4+\"},{\"lang\":\"es\",\"value\":\"En dotCMS, versiones mencionadas, una falla en NormalizationFilter no elimina las barras dobles (//) de las URL, lo que potencialmente permite omitir XSS y controles de acceso. Un ejemplo de URL afectada es https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp, que deber\u00eda devolver una respuesta 404 pero no lo hizo. La supervisi\u00f3n de la lista predeterminada de caracteres de URL no v\u00e1lidos se puede ver en el enlace proporcionado de GitHub https://github.com/dotCMS/core/blob/master/dotCMS/src/main/java/com/dotcms/filters/NormalizationFilter.java #L37. Para mitigar, los usuarios pueden bloquear las URL con barras dobles en los firewalls o utilizar variables de configuraci\u00f3n de dotCMS. Espec\u00edficamente, pueden usar la variable ambiental DOT_URI_NORMALIZATION_FORBIDDEN_STRINGS para agregar // a la lista de cadenas no v\u00e1lidas. Adem\u00e1s, la variable DOT_URI_NORMALIZATION_FORBIDDEN_REGEX ofrece un control m\u00e1s detallado, por ejemplo, para bloquear URL //html.*. Versi\u00f3n reparada: 23.06+, LTS 22.03.7+, LTS 23.01.4+\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@dotcms.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security@dotcms.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dotcms:dotcms:5.3.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1B26B5D7-CE8E-4908-8D46-A78B1A4245BA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dotcms:dotcms:21.06:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"98D4378C-DEAC-44C1-89D1-A4846450E153\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dotcms:dotcms:22.03:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5FC8E88E-4C9A-4FE9-A3B6-2A5707323F1E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dotcms:dotcms:23.01:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D68AC1E5-1756-4838-8BE5-78B2F1435A6C\"}]}]}],\"references\":[{\"url\":\"https://www.dotcms.com/security/SI-68\",\"source\":\"security@dotcms.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.dotcms.com/security/SI-68\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.dotcms.com/security/SI-68\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T06:41:04.130Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-3042\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-13T15:24:50.892460Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-13T15:24:58.954Z\"}}], \"cna\": {\"title\": \"CNA SHORTNAME: dotCMSORG UUID: 5b9d93f2-25c7-46b4-ab60-d201718c9dd8\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"impacts\": [{\"capecId\": \"CAPEC-247\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-247 XSS Using Invalid Characters\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"dotCMS\", \"product\": \"dotCMS core\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.3.8\"}, {\"status\": \"affected\", \"version\": \"21.06\"}, {\"status\": \"affected\", \"version\": \"22.03\"}, {\"status\": \"affected\", \"version\": \"23.01\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://www.dotcms.com/security/SI-68\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In dotCMS, versions mentioned, a flaw in the NormalizationFilter does not strip double slashes (//) from URLs, potentially enabling bypasses for XSS and access controls. An example affected URL is  https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp , which should return a 404 response but didn\u0027t. \\n\\nThe oversight in the default invalid URL character list can be viewed at the provided  GitHub link https://github.com/dotCMS/core/blob/master/dotCMS/src/main/java/com/dotcms/filters/NormalizationFilter.java#L37 .\\u00a0\\n\\nTo mitigate, users can block URLs with double slashes at firewalls or utilize dotCMS config variables.\\n\\nSpecifically, they can use the DOT_URI_NORMALIZATION_FORBIDDEN_STRINGS environmental variable to add // to the list of invalid strings. \\n\\nAdditionally, the DOT_URI_NORMALIZATION_FORBIDDEN_REGEX variable offers more detailed control, for instance, to block //html.* URLs.\\n\\nFix Version:23.06+, LTS 22.03.7+, LTS 23.01.4+\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"In dotCMS, versions mentioned, a flaw in the NormalizationFilter does not strip double slashes (//) from URLs, potentially enabling bypasses for XSS and access controls. An example affected URL is \u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp\\\"\u003ehttps://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp\u003c/a\u003e, which should return a 404 response but didn\u0027t. \u003cbr\u003e\u003cbr\u003eThe oversight in the default invalid URL character list can be viewed at the provided \u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://github.com/dotCMS/core/blob/master/dotCMS/src/main/java/com/dotcms/filters/NormalizationFilter.java#L37\\\"\u003eGitHub link\u003c/a\u003e.\u0026nbsp;\u003cbr\u003e\u003cbr\u003eTo mitigate, users can block URLs with double slashes at firewalls or utilize dotCMS config variables.\u003cbr\u003e\u003cbr\u003eSpecifically, they can use the DOT_URI_NORMALIZATION_FORBIDDEN_STRINGS environmental variable to add // to the list of invalid strings. \u003cbr\u003e\u003cbr\u003eAdditionally, the DOT_URI_NORMALIZATION_FORBIDDEN_REGEX variable offers more detailed control, for instance, to block //html.* URLs.\u003cbr\u003e\u003cbr\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003cth\u003eFix Version:\u003c/th\u003e\u003ctd\u003e23.06+, LTS 22.03.7+, LTS 23.01.4+\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"5b9d93f2-25c7-46b4-ab60-d201718c9dd8\", \"shortName\": \"dotCMS\", \"dateUpdated\": \"2024-09-30T15:25:26.548Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-3042\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-30T15:25:26.548Z\", \"dateReserved\": \"2023-06-01T20:26:04.134Z\", \"assignerOrgId\": \"5b9d93f2-25c7-46b4-ab60-d201718c9dd8\", \"datePublished\": \"2023-10-17T22:52:05.453Z\", \"assignerShortName\": \"dotCMS\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.