cnvd - cnvd-2019-21130

CNVD-2019-21130

Vulnerability from cnvd - Published: 2019-07-04

Title

dotCMS任意文件上传漏洞（CNVD-2019-21130）

Description

dotCMS是美国dotCMS公司的一套内容管理系统（CMS）。 dotCMS 3.7.1及之前版本中的管理面板中的Push Publishing功能存在任意文件上传漏洞，该漏洞源于在解压上传到Push Publishing功能的‘Bundle’tar.gz归档文件时，程序未能正确的验证文件的类型，远程攻击者可利用该漏洞上传任意文件。

Severity

高

Formal description

厂商尚未提供漏洞修复方案，请关注厂商主页更新： https://dotcms.com/

Reference

http://www.kb.cert.org/vuls/id/168699

Impacted products

Name
dotCMS dotCMS <=3.7.1

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-3189",
      "cveUrl": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3189"
    }
  },
  "description": "dotCMS\u662f\u7f8e\u56fddotCMS\u516c\u53f8\u7684\u4e00\u5957\u5185\u5bb9\u7ba1\u7406\u7cfb\u7edf\uff08CMS\uff09\u3002\n\ndotCMS 3.7.1\u53ca\u4e4b\u524d\u7248\u672c\u4e2d\u7684\u7ba1\u7406\u9762\u677f\u4e2d\u7684Push Publishing\u529f\u80fd\u5b58\u5728\u4efb\u610f\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5728\u89e3\u538b\u4e0a\u4f20\u5230Push Publishing\u529f\u80fd\u7684\u2018Bundle\u2019tar.gz\u5f52\u6863\u6587\u4ef6\u65f6\uff0c\u7a0b\u5e8f\u672a\u80fd\u6b63\u786e\u7684\u9a8c\u8bc1\u6587\u4ef6\u7684\u7c7b\u578b\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4e0a\u4f20\u4efb\u610f\u6587\u4ef6\u3002",
  "discovererName": "Todaro",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://dotcms.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-21130",
  "openTime": "2019-07-04",
  "products": {
    "product": "dotCMS dotCMS \u003c=3.7.1"
  },
  "referenceLink": "http://www.kb.cert.org/vuls/id/168699",
  "serverity": "\u9ad8",
  "submitTime": "2018-08-09",
  "title": "dotCMS\u4efb\u610f\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\uff08CNVD-2019-21130\uff09"
}

CVE-2017-3189 (GCVE-0-2017-3189)

Vulnerability from cvelistv5 – Published: 2018-07-24 15:00 – Updated: 2024-08-05 14:16

Summary

The dotCMS administration panel, versions 3.7.1 and earlier, "Push Publishing" feature in Enterprise Pro is vulnerable to arbitrary file upload. When "Bundle" tar.gz archives uploaded to the Push Publishing feature are decompressed, there are no checks on the types of files which the bundle contains. This vulnerability combined with the path traversal vulnerability (CVE-2017-3188) can lead to remote command execution with the permissions of the user running the dotCMS application. An unauthenticated remote attacker may perform actions with the dotCMS administrator panel with the same permissions of a victim user or execute arbitrary system commands with the permissions of the user running the dotCMS application.

Severity ?

No CVSS data available.

CWE

CWE-434

Assigner

certcc

References

URL

Tags

	https://www.kb.cert.org/vuls/id/168699	third-party-advisoryx_refsource_CERT-VN
	http://www.securityfocus.com/bid/96616	vdb-entryx_refsource_BID

Impacted products

	Vendor	Product	Version
	docCMS	Administration Panel	Affected: 3.7.1 , ≤ 3.7.1 (custom)

Credits

Thanks to: [1]SafeDog Penetration and Defense Lab:darong tong [2]SafeDog Penetration and Defense Lab:yong cai [3]shaohong wu for reporting these vulnerabilities.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T14:16:28.234Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "VU#168699",
            "tags": [
              "third-party-advisory",
              "x_refsource_CERT-VN",
              "x_transferred"
            ],
            "url": "https://www.kb.cert.org/vuls/id/168699"
          },
          {
            "name": "96616",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/96616"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Administration Panel",
          "vendor": "docCMS",
          "versions": [
            {
              "lessThanOrEqual": "3.7.1",
              "status": "affected",
              "version": "3.7.1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Thanks to:\n\n[1]SafeDog Penetration and Defense Lab:darong tong\n[2]SafeDog Penetration and Defense Lab:yong cai\n[3]shaohong wu \n\nfor reporting these vulnerabilities."
        }
      ],
      "datePublic": "2017-03-06T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The dotCMS administration panel, versions 3.7.1 and earlier, \"Push Publishing\" feature in Enterprise Pro is vulnerable to arbitrary file upload. When \"Bundle\" tar.gz archives uploaded to the Push Publishing feature are decompressed, there are no checks on the types of files which the bundle contains. This vulnerability combined with the path traversal vulnerability (CVE-2017-3188) can lead to remote command execution with the permissions of the user running the dotCMS application. An unauthenticated remote attacker may perform actions with the dotCMS administrator panel with the same permissions of a victim user or execute arbitrary system commands with the permissions of the user running the dotCMS application."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-434",
              "description": "CWE-434",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-07-25T09:57:01",
        "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "shortName": "certcc"
      },
      "references": [
        {
          "name": "VU#168699",
          "tags": [
            "third-party-advisory",
            "x_refsource_CERT-VN"
          ],
          "url": "https://www.kb.cert.org/vuls/id/168699"
        },
        {
          "name": "96616",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/96616"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "The dotCMS administration panel, versions 3.7.1 and earlier, \"Push Publishing\" feature in Enterprise Pro is vulnerable to arbitrary file upload",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cert@cert.org",
          "ID": "CVE-2017-3189",
          "STATE": "PUBLIC",
          "TITLE": "The dotCMS administration panel, versions 3.7.1 and earlier, \"Push Publishing\" feature in Enterprise Pro is vulnerable to arbitrary file upload"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Administration Panel",
                      "version": {
                        "version_data": [
                          {
                            "affected": "\u003c=",
                            "version_affected": "\u003c=",
                            "version_name": "3.7.1",
                            "version_value": "3.7.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "docCMS"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Thanks to:\n\n[1]SafeDog Penetration and Defense Lab:darong tong\n[2]SafeDog Penetration and Defense Lab:yong cai\n[3]shaohong wu \n\nfor reporting these vulnerabilities."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The dotCMS administration panel, versions 3.7.1 and earlier, \"Push Publishing\" feature in Enterprise Pro is vulnerable to arbitrary file upload. When \"Bundle\" tar.gz archives uploaded to the Push Publishing feature are decompressed, there are no checks on the types of files which the bundle contains. This vulnerability combined with the path traversal vulnerability (CVE-2017-3188) can lead to remote command execution with the permissions of the user running the dotCMS application. An unauthenticated remote attacker may perform actions with the dotCMS administrator panel with the same permissions of a victim user or execute arbitrary system commands with the permissions of the user running the dotCMS application."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-434"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "VU#168699",
              "refsource": "CERT-VN",
              "url": "https://www.kb.cert.org/vuls/id/168699"
            },
            {
              "name": "96616",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/96616"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
    "assignerShortName": "certcc",
    "cveId": "CVE-2017-3189",
    "datePublished": "2018-07-24T15:00:00",
    "dateReserved": "2016-12-05T00:00:00",
    "dateUpdated": "2024-08-05T14:16:28.234Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2019-21130

CVE-2017-3189 (GCVE-0-2017-3189)

Tags

Sightings

Nomenclature