org.dspace:dspace-api 1.5.0-beta2 vulnerabilities

Known vulnerabilities in the org.dspace:dspace-api package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
H Directory Traversal org.dspace:dspace-api is a DSpace core data model and service APIs. Affected versions of this package are vulnerable to Directory Traversal in the import process when handling Simple Archive Format packages. An attacker can access sensitive files on the server by crafting a malicious archive where the `contents` file references files outside the intended directory using relative traversal sequences. Note: This is only exploitable if an administrator imports a malicious archive or an attacker obtains DSpace administrator credentials. How to fix Directory Traversal? Upgrade `org.dspace:dspace-api` to version 7.6.4, 8.2, 9.1 or higher.	[,7.6.4)[8.0,8.2)[9.0,9.1)
H XML External Entity (XXE) Injection org.dspace:dspace-api is a DSpace core data model and service APIs. Affected versions of this package are vulnerable to XML External Entity (XXE) Injection via the XML parsing process during archive imports or when handling XML responses from upstream services. An attacker can access sensitive files or data by supplying a malicious XML payload that is processed by an administrator or by compromising an external service to deliver the payload. Note: This is only exploitable if an administrator imports a malicious archive or an attacker obtains DSpace administrator credentials. How to fix XML External Entity (XXE) Injection? Upgrade `org.dspace:dspace-api` to version 7.6.4, 8.2, 9.1 or higher.	[,7.6.4)[8.0,8.2)[9.0,9.1)
H Directory Traversal org.dspace:dspace-api is a DSpace core data model and service APIs. Affected versions of this package are vulnerable to Directory Traversal in the `unzip()` function in `ItemImport.java` when importing a simple archive format (SAF) package. A user with Administrator privileges or command line access to the affected system can write files to arbitrary locations with the privileges of the Tomcat/DSpace user. Note:* Only an Administrative user or a user with command-line access to the server is able to import/upload SAF packages. Therefore, assuming those users do not blindly upload untrusted SAF packages, then it is unlikely your site could be impacted by this vulnerability. Also, this vulnerability does not impact version 7. How to fix Directory Traversal? Upgrade `org.dspace:dspace-api` to version 5.11, 6.4 or higher.	[,5.11)[6.0,6.4)

Vulnerability

Vulnerable Version

Directory Traversal

org.dspace:dspace-api is a DSpace core data model and service APIs.

Affected versions of this package are vulnerable to Directory Traversal in the import process when handling Simple Archive Format packages. An attacker can access sensitive files on the server by crafting a malicious archive where the contents file references files outside the intended directory using relative traversal sequences.

Note:

This is only exploitable if an administrator imports a malicious archive or an attacker obtains DSpace administrator credentials.

How to fix Directory Traversal?

Upgrade org.dspace:dspace-api to version 7.6.4, 8.2, 9.1 or higher.

[,7.6.4)[8.0,8.2)[9.0,9.1)

XML External Entity (XXE) Injection

org.dspace:dspace-api is a DSpace core data model and service APIs.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection via the XML parsing process during archive imports or when handling XML responses from upstream services. An attacker can access sensitive files or data by supplying a malicious XML payload that is processed by an administrator or by compromising an external service to deliver the payload.

Note:

This is only exploitable if an administrator imports a malicious archive or an attacker obtains DSpace administrator credentials.

How to fix XML External Entity (XXE) Injection?

Upgrade org.dspace:dspace-api to version 7.6.4, 8.2, 9.1 or higher.

[,7.6.4)[8.0,8.2)[9.0,9.1)

Directory Traversal

org.dspace:dspace-api is a DSpace core data model and service APIs.

Affected versions of this package are vulnerable to Directory Traversal in the unzip() function in ItemImport.java when importing a simple archive format (SAF) package. A user with Administrator privileges or command line access to the affected system can write files to arbitrary locations with the privileges of the Tomcat/DSpace user.

Note:* Only an Administrative user or a user with command-line access to the server is able to import/upload SAF packages. Therefore, assuming those users do not blindly upload untrusted SAF packages, then it is unlikely your site could be impacted by this vulnerability.

Also, this vulnerability does not impact version 7.

How to fix Directory Traversal?

Upgrade org.dspace:dspace-api to version 5.11, 6.4 or higher.

[,5.11)[6.0,6.4)

org.dspace:dspace-api@1.5.0-beta2 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

How to fix?