CVE-2022-26352
published 2022-07-17CVE-2022-26352: An issue was discovered in the ContentResource API in dotCMS 3.0 through 22.02. Attackers can craft a multipart form request to post a file whose filename is…
PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-09-15
Exploited in the wild
EPSS
91.50%
99.8th percentile
An issue was discovered in the ContentResource API in dotCMS 3.0 through 22.02. Attackers can craft a multipart form request to post a file whose filename is not initially sanitized. This allows directory traversal, in which the file is saved outside of the intended storage location. If anonymous content creation is enabled, this allows an unauthenticated attacker to upload an executable file, such as a .jsp file, that can lead to remote code execution.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dotcms | dotcms | 3.0 – 22.02 | — |
Detection & IOCsextracted from sources · hover to see the quote
urlPOST /api/content/ HTTP/1.1
path/api/content/
path../../../../../../../../../srv/dotserver/tomcat-9.0.41/webapps/ROOT/
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT dotCMS Arbitrary File Upload Attempt (CVE-2022-26352) M1"; flow:established,to_server; http.request_line; content:"POST|20|/api/content/|20|"; startswith; fast_pattern; http.content_type; content:"multipart/form-data|3b|"; startswith; http.request_body; content:"filename=|22 2e 2e 2f|"; reference:url,blog.assetnote.io/2022/05/03/hacking-a-bank-using-dotcms-rce/; reference:url,www.dotcms.com/security/SI-62; reference:cve,2022-26352; classtype:attempted-admin; sid:2036457; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2022_05_04, cve CVE_2022_26352, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_05_04;)
bytes
filename=|22 2e 2e 2f| (in HTTP request body)
- →Detect multipart POST requests to /api/content/ where the Content-Disposition filename begins with directory traversal sequences (e.g., '../') — the core exploit primitive for CVE-2022-26352. ↗
- →Alert on HTTP POST to /api/content/ with Content-Type multipart/form-data AND a request body containing filename="../ (hex: 22 2e 2e 2f) — as captured in Emerging Threats SID 2036457.
- →Monitor for .jsp files appearing in the dotCMS webapps/ROOT directory, especially with random or unexpected names — indicative of successful exploitation and webshell placement. ↗
- →CVE-2022-26352 is exploitable without authentication if anonymous content creation is enabled; prioritize detection on unauthenticated POST requests to /api/content/. ↗
- →This vulnerability is actively exploited by HolyGhost (DEV-0530) ransomware operators as an initial access vector; correlate dotCMS exploitation attempts with subsequent lateral movement, credential theft, or ransomware staging activity. ↗
- →Use Shodan/FOFA/Google dorks to identify exposed dotCMS instances as potential targets: shodan-query 'http.title:"dotcms"', fofa-query 'title="dotcms"', google-query 'intitle:"dotcms"'.
- ·Exploitation only succeeds without authentication if the dotCMS instance has anonymous content creation enabled; instances requiring authentication are harder to exploit remotely. ↗
- ·The traversal path depth in the exploit payload targets a specific Tomcat deployment path (srv/dotserver/tomcat-9.0.41/webapps/ROOT/); actual traversal depth and target path may vary by installation.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-pr6q-gfg3-vcjf: An issue was discovered in the ContentResource API in dotCMS 3
ghsa_unreviewed·2022-07-18
CVE-2022-26352 [CRITICAL] CWE-22 GHSA-pr6q-gfg3-vcjf: An issue was discovered in the ContentResource API in dotCMS 3
An issue was discovered in the ContentResource API in dotCMS 3.0 through 22.02. Attackers can craft a multipart form request to post a file whose filename is not initially sanitized. This allows directory traversal, in which the file is saved outside of the intended storage location. If anonymous content creation is enabled, this allows an unauthenticated attacker to upload an executable file, such as a .jsp file, that can lead to remote code execution.
VulnCheck
dotCMS Unrestricted Upload of File Vulnerability
vulncheck·2022·CVSS 9.8
CVE-2022-26352 [CRITICAL] CWE-22 dotCMS Unrestricted Upload of File Vulnerability
dotCMS Unrestricted Upload of File Vulnerability
dotCMS ContentResource API contains an unrestricted upload of file with a dangerous type vulnerability that allows for directory traversal, in which the file is saved outside of the intended storage location. Exploitation allows for remote code execution.
Affected: dotCMS dotCMS
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.ivanti.com/resources/v/doc/pr-survey-report/ransomware-quarterly-indexreport_q2-q3; https://web.archive.org/w
CISA
dotCMS Unrestricted Upload of File Vulnerability
cisa·2022-08-25·CVSS 9.8
CVE-2022-26352 [CRITICAL] CWE-22 dotCMS Unrestricted Upload of File Vulnerability
Vulnerability: dotCMS Unrestricted Upload of File Vulnerability
Affected: dotCMS dotCMS
dotCMS ContentResource API contains an unrestricted upload of file with a dangerous type vulnerability that allows for directory traversal, in which the file is saved outside of the intended storage location. Exploitation allows for remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://www.dotcms.com/security/SI-62; https://nvd.nist.gov/vuln/detail/CVE-2022-26352
Remediation Due Date: 2022-09-15
Suricata
ET EXPLOIT dotCMS Arbitrary File Upload Attempt (CVE-2022-26352) M1
suricata·2022-05-04·CVSS 9.8
CVE-2022-26352 [CRITICAL] ET EXPLOIT dotCMS Arbitrary File Upload Attempt (CVE-2022-26352) M1
ET EXPLOIT dotCMS Arbitrary File Upload Attempt (CVE-2022-26352) M1
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT dotCMS Arbitrary File Upload Attempt (CVE-2022-26352) M1"; flow:established,to_server; http.request_line; content:"POST|20|/api/content/|20|"; startswith; fast_pattern; http.content_type; content:"multipart/form-data|3b|"; startswith; http.request_body; content:"filename=|22 2e 2e 2f|"; reference:url,blog.assetnote.io/2022/05/03/hacking-a-bank-using-dotcms-rce/; reference:url,www.dotcms.com/security/SI-62; reference:cve,2022-26352; classtype:attempted-admin; sid:2036457; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2022_05_04, cve CVE_2022_26352, deployment Perimeter, deployment Internal, deployment
Suricata
ET EXPLOIT dotCMS Arbitrary File Upload Attempt (CVE-2022-26352) M2
suricata·2022-05-04·CVSS 9.8
CVE-2022-26352 [CRITICAL] ET EXPLOIT dotCMS Arbitrary File Upload Attempt (CVE-2022-26352) M2
ET EXPLOIT dotCMS Arbitrary File Upload Attempt (CVE-2022-26352) M2
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT dotCMS Arbitrary File Upload Attempt (CVE-2022-26352) M2"; flow:established,to_server; http.request_line; content:"PUT|20|/api/content/|20|"; startswith; fast_pattern; http.content_type; content:"multipart/form-data|3b|"; startswith; http.request_body; content:"filename=|22 2e 2e 2f|"; reference:url,blog.assetnote.io/2022/05/03/hacking-a-bank-using-dotcms-rce/; reference:url,www.dotcms.com/security/SI-62; reference:cve,2022-26352; classtype:attempted-admin; sid:2036458; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2022_05_04, cve CVE_2022_26352, deployment Perimeter, deployment Internal, deployment
Nuclei
DotCMS - Arbitrary File Upload
nuclei·CVSS 9.8
CVE-2022-26352 [CRITICAL] DotCMS - Arbitrary File Upload
DotCMS - Arbitrary File Upload
DotCMS management system contains an arbitrary file upload vulnerability via the /api/content/ path which can allow attackers to upload malicious Trojans to obtain server permissions.
Template:
id: CVE-2022-26352
info:
name: DotCMS - Arbitrary File Upload
author: h1ei1
severity: critical
description: DotCMS management system contains an arbitrary file upload vulnerability via the /api/content/ path which can allow attackers to upload malicious Trojans to obtain server permissions.
impact: |
Successful exploitation of this vulnerability can lead to remote code execution, compromising the confidentiality, integrity, and availability of the affected system.
remediation: |
Apply the latest security patches or updates provided by the vendor to fix this vulnera
Metasploit
DotCMS RCE via Arbitrary File Upload.
metasploit
DotCMS RCE via Arbitrary File Upload.
DotCMS RCE via Arbitrary File Upload.
When files are uploaded into dotCMS via the content API, but before they become content, dotCMS writes the file down in a temp directory. In the case of this vulnerability, dotCMS does not sanitize the filename passed in via the multipart request header and thus does not sanitize the temp file's name. This allows a specially crafted request to POST files to dotCMS via the ContentResource (POST /api/content) that get written outside of the dotCMS temp directory. In the case of this exploit, an attacker can upload a special .jsp file to the webapp/ROOT directory of dotCMS which can allow for remote code execution.
Sentinelone
HolyGhost
blogs_sentinelone·2022-11-30
HolyGhost
How It Works The Singularity XDR Difference
Singularity Marketplace One-Click Integrations to Unlock the Power of XDR
Pricing & Packaging Comparisons and Guidance at a Glance
Purple AI Accelerate SecOps with Generative AI
Singularity Hyperautomation Easily Automate Security Processes
AI-SIEM The AI SIEM for the Autonomous SOC
Singularity Data Lake AI-Powered, Unified Data Lake
Singularity Data Lake for Log Analytics Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
Singularity Endpoint Autonomous Prevention, Detection, and Response
Singularity XDR Native & Open Protection, Detection, and Response
Singularity RemoteOps Forensics Orchestrate Forensics at Scale
Singularity
Threat Intelligence Comprehensive Adversary Intelligence
Singularity Vulnerability Management
Sentinelone
HolyGhost
blogs_sentinelone·CVSS 9.8
[CRITICAL] HolyGhost
# HolyGhost (H0lyGh0st) Ransomware: In-Depth Analysis, Detection, and Mitigation
## Summary of HolyGhost Ransomware
HolyGhost ransomware (aka H0lygh0st) emerged in June 2021 and is operated by North Korean threat actors DarkSeoul (aka DEV-0530). HolyGhost targets corporate networks and engages in multi- extortion – demanding payment for decryption tools, as well as for the non-release of stolen data. While HolyGhost resembles traditional ransomware, it is also observed in conjunction with broader and more advanced threats out of the DPRK.
## What Does HolyGhost Ransomware Target?
HolyGhost ransomware primarily targets SMBs (small-to-midsize businesses) within the education, financial, manufacturing and entertainment industries.
## How Does HolyGhost Ransomware Spread?
HolyGhost ranso
2022-07-17
Published
2022-08-25
Added to CISA KEV
Exploited in the wild