Vulnerability	Vulnerable Version
H Directory Traversal org.dspace:dspace-api is a DSpace core data model and service APIs. Affected versions of this package are vulnerable to Directory Traversal in the `unzip()` function in `ItemImport.java` when importing a simple archive format (SAF) package. A user with Administrator privileges or command line access to the affected system can write files to arbitrary locations with the privileges of the Tomcat/DSpace user. Note:* Only an Administrative user or a user with command-line access to the server is able to import/upload SAF packages. Therefore, assuming those users do not blindly upload untrusted SAF packages, then it is unlikely your site could be impacted by this vulnerability. Also, this vulnerability does not impact version 7. How to fix Directory Traversal? Upgrade `org.dspace:dspace-api` to version 5.11, 6.4 or higher.	[,5.11)[6.0,6.4)

Directory Traversal

org.dspace:dspace-api is a DSpace core data model and service APIs.

Affected versions of this package are vulnerable to Directory Traversal in the unzip() function in ItemImport.java when importing a simple archive format (SAF) package. A user with Administrator privileges or command line access to the affected system can write files to arbitrary locations with the privileges of the Tomcat/DSpace user.

Note:* Only an Administrative user or a user with command-line access to the server is able to import/upload SAF packages. Therefore, assuming those users do not blindly upload untrusted SAF packages, then it is unlikely your site could be impacted by this vulnerability.

Also, this vulnerability does not impact version 7.

How to fix Directory Traversal?

Upgrade org.dspace:dspace-api to version 5.11, 6.4 or higher.

[,5.11)[6.0,6.4)

Go back to all versions of this package