org.dspace:dspace-api@1.7.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.dspace:dspace-api package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Directory Traversal

org.dspace:dspace-api is a DSpace core data model and service APIs.

Affected versions of this package are vulnerable to Directory Traversal in the unzip() function in ItemImport.java when importing a simple archive format (SAF) package. A user with Administrator privileges or command line access to the affected system can write files to arbitrary locations with the privileges of the Tomcat/DSpace user.

Note:* Only an Administrative user or a user with command-line access to the server is able to import/upload SAF packages. Therefore, assuming those users do not blindly upload untrusted SAF packages, then it is unlikely your site could be impacted by this vulnerability.

Also, this vulnerability does not impact version 7.

How to fix Directory Traversal?

Upgrade org.dspace:dspace-api to version 5.11, 6.4 or higher.

[,5.11) [6.0,6.4)