org.dspace:dspace-api 7.0-preview-1 vulnerabilities

Known vulnerabilities in the org.dspace:dspace-api package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
H Directory Traversal org.dspace:dspace-api is a DSpace core data model and service APIs. Affected versions of this package are vulnerable to Directory Traversal in the import process when handling Simple Archive Format packages. An attacker can access sensitive files on the server by crafting a malicious archive where the `contents` file references files outside the intended directory using relative traversal sequences. Note: This is only exploitable if an administrator imports a malicious archive or an attacker obtains DSpace administrator credentials. How to fix Directory Traversal? Upgrade `org.dspace:dspace-api` to version 7.6.4, 8.2, 9.1 or higher.	[,7.6.4)[8.0,8.2)[9.0,9.1)
H XML External Entity (XXE) Injection org.dspace:dspace-api is a DSpace core data model and service APIs. Affected versions of this package are vulnerable to XML External Entity (XXE) Injection via the XML parsing process during archive imports or when handling XML responses from upstream services. An attacker can access sensitive files or data by supplying a malicious XML payload that is processed by an administrator or by compromising an external service to deliver the payload. Note: This is only exploitable if an administrator imports a malicious archive or an attacker obtains DSpace administrator credentials. How to fix XML External Entity (XXE) Injection? Upgrade `org.dspace:dspace-api` to version 7.6.4, 8.2, 9.1 or higher.	[,7.6.4)[8.0,8.2)[9.0,9.1)
H Incorrect Authorization org.dspace:dspace-api is a DSpace core data model and service APIs. Affected versions of this package are vulnerable to Incorrect Authorization. Any community or collection administrator can escalate their permission up to become system administrator. How to fix Incorrect Authorization? Upgrade `org.dspace:dspace-api` to version 7.1 or higher.	[7.0,7.1)

Vulnerability

Vulnerable Version

Directory Traversal

org.dspace:dspace-api is a DSpace core data model and service APIs.

Affected versions of this package are vulnerable to Directory Traversal in the import process when handling Simple Archive Format packages. An attacker can access sensitive files on the server by crafting a malicious archive where the contents file references files outside the intended directory using relative traversal sequences.

Note:

This is only exploitable if an administrator imports a malicious archive or an attacker obtains DSpace administrator credentials.

How to fix Directory Traversal?

Upgrade org.dspace:dspace-api to version 7.6.4, 8.2, 9.1 or higher.

[,7.6.4)[8.0,8.2)[9.0,9.1)

XML External Entity (XXE) Injection

org.dspace:dspace-api is a DSpace core data model and service APIs.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection via the XML parsing process during archive imports or when handling XML responses from upstream services. An attacker can access sensitive files or data by supplying a malicious XML payload that is processed by an administrator or by compromising an external service to deliver the payload.

Note:

This is only exploitable if an administrator imports a malicious archive or an attacker obtains DSpace administrator credentials.

How to fix XML External Entity (XXE) Injection?

Upgrade org.dspace:dspace-api to version 7.6.4, 8.2, 9.1 or higher.

[,7.6.4)[8.0,8.2)[9.0,9.1)

Incorrect Authorization

org.dspace:dspace-api is a DSpace core data model and service APIs.

Affected versions of this package are vulnerable to Incorrect Authorization. Any community or collection administrator can escalate their permission up to become system administrator.

How to fix Incorrect Authorization?

Upgrade org.dspace:dspace-api to version 7.1 or higher.

[7.0,7.1)

org.dspace:dspace-api@7.0-preview-1 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

How to fix?