fkie_cve-2023-3042
Vulnerability from fkie_nvd
Published
2023-10-17 23:15
Modified
2024-11-21 08:16
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
In dotCMS, versions mentioned, a flaw in the NormalizationFilter does not strip double slashes (//) from URLs, potentially enabling bypasses for XSS and access controls. An example affected URL is https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp , which should return a 404 response but didn't. The oversight in the default invalid URL character list can be viewed at the provided GitHub link https://github.com/dotCMS/core/blob/master/dotCMS/src/main/java/com/dotcms/filters/NormalizationFilter.java#L37 .  To mitigate, users can block URLs with double slashes at firewalls or utilize dotCMS config variables. Specifically, they can use the DOT_URI_NORMALIZATION_FORBIDDEN_STRINGS environmental variable to add // to the list of invalid strings. Additionally, the DOT_URI_NORMALIZATION_FORBIDDEN_REGEX variable offers more detailed control, for instance, to block //html.* URLs. Fix Version:23.06+, LTS 22.03.7+, LTS 23.01.4+
References
security@dotcms.comhttps://www.dotcms.com/security/SI-68Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.dotcms.com/security/SI-68Vendor Advisory
Impacted products
Vendor Product Version
dotcms dotcms 5.3.8
dotcms dotcms 21.06
dotcms dotcms 22.03
dotcms dotcms 23.01


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:dotcms:dotcms:5.3.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "1B26B5D7-CE8E-4908-8D46-A78B1A4245BA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dotcms:dotcms:21.06:*:*:*:*:*:*:*",
              "matchCriteriaId": "98D4378C-DEAC-44C1-89D1-A4846450E153",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dotcms:dotcms:22.03:*:*:*:*:*:*:*",
              "matchCriteriaId": "5FC8E88E-4C9A-4FE9-A3B6-2A5707323F1E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dotcms:dotcms:23.01:*:*:*:*:*:*:*",
              "matchCriteriaId": "D68AC1E5-1756-4838-8BE5-78B2F1435A6C",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In dotCMS, versions mentioned, a flaw in the NormalizationFilter does not strip double slashes (//) from URLs, potentially enabling bypasses for XSS and access controls. An example affected URL is  https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp , which should return a 404 response but didn\u0027t. \n\nThe oversight in the default invalid URL character list can be viewed at the provided  GitHub link https://github.com/dotCMS/core/blob/master/dotCMS/src/main/java/com/dotcms/filters/NormalizationFilter.java#L37 .\u00a0\n\nTo mitigate, users can block URLs with double slashes at firewalls or utilize dotCMS config variables.\n\nSpecifically, they can use the DOT_URI_NORMALIZATION_FORBIDDEN_STRINGS environmental variable to add // to the list of invalid strings. \n\nAdditionally, the DOT_URI_NORMALIZATION_FORBIDDEN_REGEX variable offers more detailed control, for instance, to block //html.* URLs.\n\nFix Version:23.06+, LTS 22.03.7+, LTS 23.01.4+"
    },
    {
      "lang": "es",
      "value": "En dotCMS, versiones mencionadas, una falla en NormalizationFilter no elimina las barras dobles (//) de las URL, lo que potencialmente permite omitir XSS y controles de acceso. Un ejemplo de URL afectada es https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp, que deber\u00eda devolver una respuesta 404 pero no lo hizo. La supervisi\u00f3n de la lista predeterminada de caracteres de URL no v\u00e1lidos se puede ver en el enlace proporcionado de GitHub https://github.com/dotCMS/core/blob/master/dotCMS/src/main/java/com/dotcms/filters/NormalizationFilter.java #L37. Para mitigar, los usuarios pueden bloquear las URL con barras dobles en los firewalls o utilizar variables de configuraci\u00f3n de dotCMS. Espec\u00edficamente, pueden usar la variable ambiental DOT_URI_NORMALIZATION_FORBIDDEN_STRINGS para agregar // a la lista de cadenas no v\u00e1lidas. Adem\u00e1s, la variable DOT_URI_NORMALIZATION_FORBIDDEN_REGEX ofrece un control m\u00e1s detallado, por ejemplo, para bloquear URL //html.*. Versi\u00f3n reparada: 23.06+, LTS 22.03.7+, LTS 23.01.4+"
    }
  ],
  "id": "CVE-2023-3042",
  "lastModified": "2024-11-21T08:16:18.480",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "security@dotcms.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-10-17T23:15:11.920",
  "references": [
    {
      "source": "security@dotcms.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.dotcms.com/security/SI-68"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.dotcms.com/security/SI-68"
    }
  ],
  "sourceIdentifier": "security@dotcms.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security@dotcms.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.