Directory Traversalorg.dspace:dspace-api is a DSpace core data model and service APIs.
Affected versions of this package are vulnerable to Directory Traversal through the initCurator reporter output handling in dspace-api/src/main/java/org/dspace/curate/Curation.java. An attacker can overwrite or create files in arbitrary writable locations by supplying a crafted -r reporter path when running a curation task through the web UI. The vulnerable code passed this.reporter directly to new PrintStream(...) without restricting it to a configured base directory, so a DSpace collection, community, or site administrator could direct curation output into unexpected paths such as configuration files or webapp resources. This can break the site or, in chained scenarios, support privilege escalation by placing attacker-controlled content where the server later reads or executes it.
Workarounds
- Temporarily disable all Curation Tasks by commenting out every
plugin.named.org.dspace.curate.CurationTask entry in dspace/config/modules/curate.cfg; this prevents the web UI and dspace curate from accepting the -r reporter output path and blocks the traversal/write attack path.
- If you rely on scheduled
dspace curate jobs, stop or rework those cron jobs before disabling the curation task plugins; this avoids breaking legitimate automated curation runs while you remove the vulnerable feature.
How to fix Directory Traversal? Upgrade org.dspace:dspace-api to version 7.6.7, 8.4, 9.3, 10.0 or higher.
| [,7.6.7)[8.0-rc1,8.4)[9.0-rc1,9.3)[10-rc1,10.0) |
Improper Restriction of Names for Files and Other Resourcesorg.dspace:dspace-api is a DSpace core data model and service APIs.
Affected versions of this package are vulnerable to Improper Restriction of Names for Files and Other Resources via the OREIngestionCrosswalk.ingest process in dspace-api/src/main/java/org/dspace/content/crosswalk/OREIngestionCrosswalk.java. An attacker can ingest a malicious ORE resource by supplying an aggregated resource URI such as file:///etc/passwd, causing the harvester to open and ingest a local server file as a bitstream. This affects OAI harvests where the ORE crosswalk processes attacker-controlled XML from a remote endpoint. The result is disclosure of local file contents inside DSpace items, exposing server data to users who can later access the harvested content.
Workarounds
- Disable the ORE ingestion crosswalk in
dspace.cfg by removing or commenting out org.dspace.content.crosswalk.OREIngestionCrosswalk = ore, \ from plugin.named.org.dspace.content.crosswalk.IngestionCrosswalk; this prevents the OAI harvester from processing attacker-controlled ORE resources that could point to file:///... paths.
How to fix Improper Restriction of Names for Files and Other Resources? Upgrade org.dspace:dspace-api to version 7.6.7, 8.4, 9.3, 10.0 or higher.
| [,7.6.7)[8.0-rc1,8.4)[9.0-rc1,9.3)[10-rc1,10.0) |
Directory Traversalorg.dspace:dspace-api is a DSpace core data model and service APIs.
Affected versions of this package are vulnerable to Directory Traversal in the import process when handling Simple Archive Format packages. An attacker can access sensitive files on the server by crafting a malicious archive where the contents file references files outside the intended directory using relative traversal sequences.
Note:
This is only exploitable if an administrator imports a malicious archive or an attacker obtains DSpace administrator credentials.
How to fix Directory Traversal? Upgrade org.dspace:dspace-api to version 7.6.4, 8.2, 9.1 or higher.
| [,7.6.4)[8.0,8.2)[9.0,9.1) |
XML External Entity (XXE) Injectionorg.dspace:dspace-api is a DSpace core data model and service APIs.
Affected versions of this package are vulnerable to XML External Entity (XXE) Injection via the XML parsing process during archive imports or when handling XML responses from upstream services. An attacker can access sensitive files or data by supplying a malicious XML payload that is processed by an administrator or by compromising an external service to deliver the payload.
Note:
This is only exploitable if an administrator imports a malicious archive or an attacker obtains DSpace administrator credentials.
How to fix XML External Entity (XXE) Injection? Upgrade org.dspace:dspace-api to version 7.6.4, 8.2, 9.1 or higher.
| [,7.6.4)[8.0,8.2)[9.0,9.1) |
Access Restriction Bypassorg.dspace:dspace-api is a DSpace core data model and service APIs.
Affected versions of this package are vulnerable to Access Restriction Bypass. Multiple access control issues exist in dspace-api development versions. These issues include:
- The SolrServiceResourceRestrictionPlugin doesn't check for dates on permissions, causing the embargoed items to be returned
- Discovery ignores the PreAuthorize permissions check which should ensure the item cannot be returned, not even when it's embedded
Note: These issues only exist in unreleased/development versions of DSpace v7.0, and it does not impact any production releases outside of beta/preview releases.
How to fix Access Restriction Bypass? Upgrade org.dspace:dspace-api to version 7.0-preview-1 or higher.
| [7.0-beta1,7.0-preview-1) |