Directory Traversalorg.dspace:dspace-api is a DSpace core data model and service APIs.
Affected versions of this package are vulnerable to Directory Traversal through the initCurator reporter output handling in dspace-api/src/main/java/org/dspace/curate/Curation.java. An attacker can overwrite or create files in arbitrary writable locations by supplying a crafted -r reporter path when running a curation task through the web UI. The vulnerable code passed this.reporter directly to new PrintStream(...) without restricting it to a configured base directory, so a DSpace collection, community, or site administrator could direct curation output into unexpected paths such as configuration files or webapp resources. This can break the site or, in chained scenarios, support privilege escalation by placing attacker-controlled content where the server later reads or executes it.
Workarounds
- Temporarily disable all Curation Tasks by commenting out every
plugin.named.org.dspace.curate.CurationTask entry in dspace/config/modules/curate.cfg; this prevents the web UI and dspace curate from accepting the -r reporter output path and blocks the traversal/write attack path.
- If you rely on scheduled
dspace curate jobs, stop or rework those cron jobs before disabling the curation task plugins; this avoids breaking legitimate automated curation runs while you remove the vulnerable feature.
How to fix Directory Traversal? Upgrade org.dspace:dspace-api to version 7.6.7, 8.4, 9.3, 10.0 or higher.
| [,7.6.7)[8.0-rc1,8.4)[9.0-rc1,9.3)[10-rc1,10.0) |
Improper Restriction of Names for Files and Other Resourcesorg.dspace:dspace-api is a DSpace core data model and service APIs.
Affected versions of this package are vulnerable to Improper Restriction of Names for Files and Other Resources via the OREIngestionCrosswalk.ingest process in dspace-api/src/main/java/org/dspace/content/crosswalk/OREIngestionCrosswalk.java. An attacker can ingest a malicious ORE resource by supplying an aggregated resource URI such as file:///etc/passwd, causing the harvester to open and ingest a local server file as a bitstream. This affects OAI harvests where the ORE crosswalk processes attacker-controlled XML from a remote endpoint. The result is disclosure of local file contents inside DSpace items, exposing server data to users who can later access the harvested content.
Workarounds
- Disable the ORE ingestion crosswalk in
dspace.cfg by removing or commenting out org.dspace.content.crosswalk.OREIngestionCrosswalk = ore, \ from plugin.named.org.dspace.content.crosswalk.IngestionCrosswalk; this prevents the OAI harvester from processing attacker-controlled ORE resources that could point to file:///... paths.
How to fix Improper Restriction of Names for Files and Other Resources? Upgrade org.dspace:dspace-api to version 7.6.7, 8.4, 9.3, 10.0 or higher.
| [,7.6.7)[8.0-rc1,8.4)[9.0-rc1,9.3)[10-rc1,10.0) |