org.dspace:dspace-api@7.6.6

  • latest version

    10.0

  • latest non vulnerable version

  • first published

    18 years ago

  • latest version published

    1 months ago

  • licenses detected

  • package registry

  • Direct Vulnerabilities

    Known vulnerabilities in the org.dspace:dspace-api package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Directory Traversal

    org.dspace:dspace-api is a DSpace core data model and service APIs.

    Affected versions of this package are vulnerable to Directory Traversal through the initCurator reporter output handling in dspace-api/src/main/java/org/dspace/curate/Curation.java. An attacker can overwrite or create files in arbitrary writable locations by supplying a crafted -r reporter path when running a curation task through the web UI. The vulnerable code passed this.reporter directly to new PrintStream(...) without restricting it to a configured base directory, so a DSpace collection, community, or site administrator could direct curation output into unexpected paths such as configuration files or webapp resources. This can break the site or, in chained scenarios, support privilege escalation by placing attacker-controlled content where the server later reads or executes it.

    Workarounds

    • Temporarily disable all Curation Tasks by commenting out every plugin.named.org.dspace.curate.CurationTask entry in dspace/config/modules/curate.cfg; this prevents the web UI and dspace curate from accepting the -r reporter output path and blocks the traversal/write attack path.
    • If you rely on scheduled dspace curate jobs, stop or rework those cron jobs before disabling the curation task plugins; this avoids breaking legitimate automated curation runs while you remove the vulnerable feature.

    How to fix Directory Traversal?

    Upgrade org.dspace:dspace-api to version 7.6.7, 8.4, 9.3, 10.0 or higher.

    [,7.6.7)[8.0-rc1,8.4)[9.0-rc1,9.3)[10-rc1,10.0)
    • M
    Improper Restriction of Names for Files and Other Resources

    org.dspace:dspace-api is a DSpace core data model and service APIs.

    Affected versions of this package are vulnerable to Improper Restriction of Names for Files and Other Resources via the OREIngestionCrosswalk.ingest process in dspace-api/src/main/java/org/dspace/content/crosswalk/OREIngestionCrosswalk.java. An attacker can ingest a malicious ORE resource by supplying an aggregated resource URI such as file:///etc/passwd, causing the harvester to open and ingest a local server file as a bitstream. This affects OAI harvests where the ORE crosswalk processes attacker-controlled XML from a remote endpoint. The result is disclosure of local file contents inside DSpace items, exposing server data to users who can later access the harvested content.

    Workarounds

    • Disable the ORE ingestion crosswalk in dspace.cfg by removing or commenting out org.dspace.content.crosswalk.OREIngestionCrosswalk = ore, \ from plugin.named.org.dspace.content.crosswalk.IngestionCrosswalk; this prevents the OAI harvester from processing attacker-controlled ORE resources that could point to file:///... paths.

    How to fix Improper Restriction of Names for Files and Other Resources?

    Upgrade org.dspace:dspace-api to version 7.6.7, 8.4, 9.3, 10.0 or higher.

    [,7.6.7)[8.0-rc1,8.4)[9.0-rc1,9.3)[10-rc1,10.0)