CVE-2017-3188 (GCVE-0-2017-3188)

Vulnerability from cvelistv5 – Published: 2018-07-24 15:00 – Updated: 2024-08-05 14:16
VLAI?
Summary
The dotCMS administration panel, versions 3.7.1 and earlier, "Push Publishing" feature in Enterprise Pro is vulnerable to path traversal. When "Bundle" tar.gz archives uploaded to the Push Publishing feature are decompressed, the filenames of its contents are not properly checked, allowing for writing files to arbitrary directories on the file system. These archives may be uploaded directly via the administrator panel, or using the CSRF vulnerability (CVE-2017-3187). An unauthenticated remote attacker may perform actions with the dotCMS administrator panel with the same permissions of a victim user or execute arbitrary system commands with the permissions of the user running the dotCMS application.
Severity ?
No CVSS data available.
CWE
Assigner
References
https://www.kb.cert.org/vuls/id/168699 third-party-advisoryx_refsource_CERT-VN
http://www.securityfocus.com/bid/96616 vdb-entryx_refsource_BID
Impacted products
Vendor Product Version
docCMS Administration Panel Affected: 3.7.1 , ≤ 3.7.1 (custom)
Create a notification for this product.
Credits
Thanks to: [1]SafeDog Penetration and Defense Lab:darong tong [2]SafeDog Penetration and Defense Lab:yong cai [3]shaohong wu for reporting these vulnerabilities.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T14:16:28.240Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "VU#168699",
            "tags": [
              "third-party-advisory",
              "x_refsource_CERT-VN",
              "x_transferred"
            ],
            "url": "https://www.kb.cert.org/vuls/id/168699"
          },
          {
            "name": "96616",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/96616"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Administration Panel",
          "vendor": "docCMS",
          "versions": [
            {
              "lessThanOrEqual": "3.7.1",
              "status": "affected",
              "version": "3.7.1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Thanks to:\n\n[1]SafeDog Penetration and Defense Lab:darong tong\n[2]SafeDog Penetration and Defense Lab:yong cai\n[3]shaohong wu \n\nfor reporting these vulnerabilities."
        }
      ],
      "datePublic": "2017-03-06T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The dotCMS administration panel, versions 3.7.1 and earlier, \"Push Publishing\" feature in Enterprise Pro is vulnerable to path traversal. When \"Bundle\" tar.gz archives uploaded to the Push Publishing feature are decompressed, the filenames of its contents are not properly checked, allowing for writing files to arbitrary directories on the file system. These archives may be uploaded directly via the administrator panel, or using the CSRF vulnerability (CVE-2017-3187). An unauthenticated remote attacker may perform actions with the dotCMS administrator panel with the same permissions of a victim user or execute arbitrary system commands with the permissions of the user running the dotCMS application."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-07-25T09:57:01",
        "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "shortName": "certcc"
      },
      "references": [
        {
          "name": "VU#168699",
          "tags": [
            "third-party-advisory",
            "x_refsource_CERT-VN"
          ],
          "url": "https://www.kb.cert.org/vuls/id/168699"
        },
        {
          "name": "96616",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/96616"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "The dotCMS administration panel, versions 3.7.1 and earlier, \"Push Publishing\" feature in Enterprise Pro is vulnerable to path traversal",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cert@cert.org",
          "ID": "CVE-2017-3188",
          "STATE": "PUBLIC",
          "TITLE": "The dotCMS administration panel, versions 3.7.1 and earlier, \"Push Publishing\" feature in Enterprise Pro is vulnerable to path traversal"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Administration Panel",
                      "version": {
                        "version_data": [
                          {
                            "affected": "\u003c=",
                            "version_affected": "\u003c=",
                            "version_name": "3.7.1",
                            "version_value": "3.7.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "docCMS"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Thanks to:\n\n[1]SafeDog Penetration and Defense Lab:darong tong\n[2]SafeDog Penetration and Defense Lab:yong cai\n[3]shaohong wu \n\nfor reporting these vulnerabilities."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The dotCMS administration panel, versions 3.7.1 and earlier, \"Push Publishing\" feature in Enterprise Pro is vulnerable to path traversal. When \"Bundle\" tar.gz archives uploaded to the Push Publishing feature are decompressed, the filenames of its contents are not properly checked, allowing for writing files to arbitrary directories on the file system. These archives may be uploaded directly via the administrator panel, or using the CSRF vulnerability (CVE-2017-3187). An unauthenticated remote attacker may perform actions with the dotCMS administrator panel with the same permissions of a victim user or execute arbitrary system commands with the permissions of the user running the dotCMS application."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-22"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "VU#168699",
              "refsource": "CERT-VN",
              "url": "https://www.kb.cert.org/vuls/id/168699"
            },
            {
              "name": "96616",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/96616"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
    "assignerShortName": "certcc",
    "cveId": "CVE-2017-3188",
    "datePublished": "2018-07-24T15:00:00",
    "dateReserved": "2016-12-05T00:00:00",
    "dateUpdated": "2024-08-05T14:16:28.240Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:dotcms:dotcms:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"3.7.1\", \"matchCriteriaId\": \"B9E0DEC1-1F66-46E4-B9C7-9E403541CADC\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"The dotCMS administration panel, versions 3.7.1 and earlier, \\\"Push Publishing\\\" feature in Enterprise Pro is vulnerable to path traversal. When \\\"Bundle\\\" tar.gz archives uploaded to the Push Publishing feature are decompressed, the filenames of its contents are not properly checked, allowing for writing files to arbitrary directories on the file system. These archives may be uploaded directly via the administrator panel, or using the CSRF vulnerability (CVE-2017-3187). An unauthenticated remote attacker may perform actions with the dotCMS administrator panel with the same permissions of a victim user or execute arbitrary system commands with the permissions of the user running the dotCMS application.\"}, {\"lang\": \"es\", \"value\": \"En el panel de administrador de dotCMS, en versiones 3.7.1 y anteriores, la caracter\\u00edstica \\\"Push Publishing\\\" en Enterprise Pro es vulnerable a un salto de directorio. Cuando los archivos \\\"Bundle\\\" tar.gz se suben a la funcionalidad Push Publishing se descomprimen, los nombres de archivo de sus contenidos no se comprueban correctamente, lo que permite escribir archivos en directorios arbitrarios del sistema de archivos. Estos archivos podr\\u00edan subirse directamente mediante el panel de administraci\\u00f3n o mediante la vulnerabilidad CSRF (CVE-2017-3187). Un atacante remoto no autenticado podr\\u00eda realizar acciones con el panel de administrador de dotCMS con los mismos permisos que un usuario v\\u00edctima o ejecutar comandos arbitrarios del sistema con los permisos del usuario que ejecuta la aplicaci\\u00f3n dotCMS.\"}]",
      "id": "CVE-2017-3188",
      "lastModified": "2024-11-21T03:24:59.690",
      "metrics": "{\"cvssMetricV30\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:S/C:N/I:P/A:N\", \"baseScore\": 4.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2018-07-24T15:29:00.593",
      "references": "[{\"url\": \"http://www.securityfocus.com/bid/96616\", \"source\": \"cret@cert.org\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://www.kb.cert.org/vuls/id/168699\", \"source\": \"cret@cert.org\", \"tags\": [\"Third Party Advisory\", \"US Government Resource\"]}, {\"url\": \"https://doc.dotcms.com/security/SI-41\", \"source\": \"nvd@nist.gov\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.securityfocus.com/bid/96616\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://www.kb.cert.org/vuls/id/168699\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"US Government Resource\"]}]",
      "sourceIdentifier": "cret@cert.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"cret@cert.org\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-22\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-22\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2017-3188\",\"sourceIdentifier\":\"cret@cert.org\",\"published\":\"2018-07-24T15:29:00.593\",\"lastModified\":\"2024-11-21T03:24:59.690\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The dotCMS administration panel, versions 3.7.1 and earlier, \\\"Push Publishing\\\" feature in Enterprise Pro is vulnerable to path traversal. When \\\"Bundle\\\" tar.gz archives uploaded to the Push Publishing feature are decompressed, the filenames of its contents are not properly checked, allowing for writing files to arbitrary directories on the file system. These archives may be uploaded directly via the administrator panel, or using the CSRF vulnerability (CVE-2017-3187). An unauthenticated remote attacker may perform actions with the dotCMS administrator panel with the same permissions of a victim user or execute arbitrary system commands with the permissions of the user running the dotCMS application.\"},{\"lang\":\"es\",\"value\":\"En el panel de administrador de dotCMS, en versiones 3.7.1 y anteriores, la caracter\u00edstica \\\"Push Publishing\\\" en Enterprise Pro es vulnerable a un salto de directorio. Cuando los archivos \\\"Bundle\\\" tar.gz se suben a la funcionalidad Push Publishing se descomprimen, los nombres de archivo de sus contenidos no se comprueban correctamente, lo que permite escribir archivos en directorios arbitrarios del sistema de archivos. Estos archivos podr\u00edan subirse directamente mediante el panel de administraci\u00f3n o mediante la vulnerabilidad CSRF (CVE-2017-3187). Un atacante remoto no autenticado podr\u00eda realizar acciones con el panel de administrador de dotCMS con los mismos permisos que un usuario v\u00edctima o ejecutar comandos arbitrarios del sistema con los permisos del usuario que ejecuta la aplicaci\u00f3n dotCMS.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:N/I:P/A:N\",\"baseScore\":4.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"cret@cert.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dotcms:dotcms:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"3.7.1\",\"matchCriteriaId\":\"B9E0DEC1-1F66-46E4-B9C7-9E403541CADC\"}]}]}],\"references\":[{\"url\":\"http://www.securityfocus.com/bid/96616\",\"source\":\"cret@cert.org\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://www.kb.cert.org/vuls/id/168699\",\"source\":\"cret@cert.org\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"https://doc.dotcms.com/security/SI-41\",\"source\":\"nvd@nist.gov\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/96616\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://www.kb.cert.org/vuls/id/168699\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.