org.dspace:dspace-api@9.2

  • latest version

    10.0

  • latest non vulnerable version

  • first published

    18 years ago

  • latest version published

    1 months ago

  • licenses detected

  • package registry

  • Direct Vulnerabilities

    Known vulnerabilities in the org.dspace:dspace-api package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Directory Traversal

    org.dspace:dspace-api is a DSpace core data model and service APIs.

    Affected versions of this package are vulnerable to Directory Traversal through the initCurator reporter output handling in dspace-api/src/main/java/org/dspace/curate/Curation.java. An attacker can overwrite or create files in arbitrary writable locations by supplying a crafted -r reporter path when running a curation task through the web UI. The vulnerable code passed this.reporter directly to new PrintStream(...) without restricting it to a configured base directory, so a DSpace collection, community, or site administrator could direct curation output into unexpected paths such as configuration files or webapp resources. This can break the site or, in chained scenarios, support privilege escalation by placing attacker-controlled content where the server later reads or executes it.

    Workarounds

    • Temporarily disable all Curation Tasks by commenting out every plugin.named.org.dspace.curate.CurationTask entry in dspace/config/modules/curate.cfg; this prevents the web UI and dspace curate from accepting the -r reporter output path and blocks the traversal/write attack path.
    • If you rely on scheduled dspace curate jobs, stop or rework those cron jobs before disabling the curation task plugins; this avoids breaking legitimate automated curation runs while you remove the vulnerable feature.

    How to fix Directory Traversal?

    Upgrade org.dspace:dspace-api to version 7.6.7, 8.4, 9.3, 10.0 or higher.

    [,7.6.7)[8.0-rc1,8.4)[9.0-rc1,9.3)[10-rc1,10.0)
    • H
    Arbitrary Code Injection

    org.dspace:dspace-api is a DSpace core data model and service APIs.

    Affected versions of this package are vulnerable to Arbitrary Code Injection through the Velocity template processing in org.dspace.core.LDN and org.dspace.core.Email. An attacker with DSpace administrator credentials can supply or modify LDN/Velocity template content so the template engine resolves reflective access and executes Java code during LDN message generation. This affects repositories that use LDN message templates, and it can let an authenticated administrator run arbitrary code on the DSpace backend, compromising the server and any data or actions reachable from that process.

    Notes

    • The vulnerable LDN/email template context exposed the full ConfigurationService object to Velocity, so template authors could access arbitrary configuration keys rather than just the small set intended for message rendering.
    • The issue is limited to deployments using the Velocity-based LDN/message-template path; the maintainer's advisory notes that ldn.enabled=false disables the known attack path.

    Workarounds

    • Disable LDN in dspace.cfg or local.cfg by setting ldn.enabled=false if LDN is not essential; this removes the known attack path for the template RCE issue.
    • If you cannot upgrade immediately, manually apply the maintainer-provided patch for your branch to the DSpace backend, then rebuild, redeploy, and restart the backend; this mitigates the vulnerable Velocity template processing used by LDN and email templating.

    How to fix Arbitrary Code Injection?

    Upgrade org.dspace:dspace-api to version 8.4, 9.3, 10.0 or higher.

    [8.0-rc1,8.4)[9.0-rc1,9.3)[10.0-rc1,10.0)
    • M
    Directory Traversal

    org.dspace:dspace-api is a DSpace core data model and service APIs.

    Affected versions of this package are vulnerable to Directory Traversal through the handleCurationTask process in dspace-api/src/main/java/org/dspace/core/LDN.java. An attacker with DSpace administrator credentials can supply an inbound LDN template path that points outside the trusted LDN template directory and make the server read an arbitrary file as an Apache Velocity template. This lets the attacker use a file elsewhere on the filesystem as LDN input, which can disclose sensitive data or be leveraged to execute arbitrary Java code through malicious template content.

    Notes

    • The vulnerable behavior is broader than just reading LDN templates: the same code path also accepted arbitrary filesystem locations for curation task input and reporter output, so deployments exposing those paths through administrative workflows had the same path-handling weakness.

    Workarounds

    • Set ldn.enabled=false in dspace.cfg or local.cfg to disable LDN if it is not essential, which prevents the attacker from abusing LDN message generation to read an arbitrary file as a template.

    How to fix Directory Traversal?

    Upgrade org.dspace:dspace-api to version 8.4, 9.3, 10.0 or higher.

    [8.0-rc1,8.4)[9.0-rc1,9.3)[10.0-rc1,10.0)
    • M
    Improper Restriction of Names for Files and Other Resources

    org.dspace:dspace-api is a DSpace core data model and service APIs.

    Affected versions of this package are vulnerable to Improper Restriction of Names for Files and Other Resources via the OREIngestionCrosswalk.ingest process in dspace-api/src/main/java/org/dspace/content/crosswalk/OREIngestionCrosswalk.java. An attacker can ingest a malicious ORE resource by supplying an aggregated resource URI such as file:///etc/passwd, causing the harvester to open and ingest a local server file as a bitstream. This affects OAI harvests where the ORE crosswalk processes attacker-controlled XML from a remote endpoint. The result is disclosure of local file contents inside DSpace items, exposing server data to users who can later access the harvested content.

    Workarounds

    • Disable the ORE ingestion crosswalk in dspace.cfg by removing or commenting out org.dspace.content.crosswalk.OREIngestionCrosswalk = ore, \ from plugin.named.org.dspace.content.crosswalk.IngestionCrosswalk; this prevents the OAI harvester from processing attacker-controlled ORE resources that could point to file:///... paths.

    How to fix Improper Restriction of Names for Files and Other Resources?

    Upgrade org.dspace:dspace-api to version 7.6.7, 8.4, 9.3, 10.0 or higher.

    [,7.6.7)[8.0-rc1,8.4)[9.0-rc1,9.3)[10-rc1,10.0)