Vulnerability	Vulnerable Version
H Directory Traversal org.dspace:dspace-api is a DSpace core data model and service APIs. Affected versions of this package are vulnerable to Directory Traversal in the import process when handling Simple Archive Format packages. An attacker can access sensitive files on the server by crafting a malicious archive where the `contents` file references files outside the intended directory using relative traversal sequences. Note: This is only exploitable if an administrator imports a malicious archive or an attacker obtains DSpace administrator credentials. How to fix Directory Traversal? Upgrade `org.dspace:dspace-api` to version 7.6.4, 8.2, 9.1 or higher.	[,7.6.4)[8.0,8.2)[9.0,9.1)
H XML External Entity (XXE) Injection org.dspace:dspace-api is a DSpace core data model and service APIs. Affected versions of this package are vulnerable to XML External Entity (XXE) Injection via the XML parsing process during archive imports or when handling XML responses from upstream services. An attacker can access sensitive files or data by supplying a malicious XML payload that is processed by an administrator or by compromising an external service to deliver the payload. Note: This is only exploitable if an administrator imports a malicious archive or an attacker obtains DSpace administrator credentials. How to fix XML External Entity (XXE) Injection? Upgrade `org.dspace:dspace-api` to version 7.6.4, 8.2, 9.1 or higher.	[,7.6.4)[8.0,8.2)[9.0,9.1)

Directory Traversal

org.dspace:dspace-api is a DSpace core data model and service APIs.

Affected versions of this package are vulnerable to Directory Traversal in the import process when handling Simple Archive Format packages. An attacker can access sensitive files on the server by crafting a malicious archive where the contents file references files outside the intended directory using relative traversal sequences.

Note:

This is only exploitable if an administrator imports a malicious archive or an attacker obtains DSpace administrator credentials.

How to fix Directory Traversal?

Upgrade org.dspace:dspace-api to version 7.6.4, 8.2, 9.1 or higher.

[,7.6.4)[8.0,8.2)[9.0,9.1)

XML External Entity (XXE) Injection

org.dspace:dspace-api is a DSpace core data model and service APIs.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection via the XML parsing process during archive imports or when handling XML responses from upstream services. An attacker can access sensitive files or data by supplying a malicious XML payload that is processed by an administrator or by compromising an external service to deliver the payload.

Note:

This is only exploitable if an administrator imports a malicious archive or an attacker obtains DSpace administrator credentials.

How to fix XML External Entity (XXE) Injection?

Upgrade org.dspace:dspace-api to version 7.6.4, 8.2, 9.1 or higher.

[,7.6.4)[8.0,8.2)[9.0,9.1)

Go back to all versions of this package