CVE-2022-31193

2022-08-0121:15:13

CWE-601

[email protected]

web.nvd.nist.gov

dspace

open source

software

dspace-jspui

repository

digital resources

vulnerability

open redirect

attack

patch

upgrade

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

0.001 Low

EPSS

Percentile

31.0%

JSON

DSpace open source software is a repository application which provides durable access to digital resources. dspace-jspui is a UI component for DSpace. The JSPUI controlled vocabulary servlet is vulnerable to an open redirect attack, where an attacker can craft a malicious URL that looks like a legitimate DSpace/repository URL. When that URL is clicked by the target, it redirects them to a site of the attacker’s choice. This issue has been patched in versions 5.11 and 6.4. Users are advised to upgrade. There are no known workaround for this vulnerability.

Affected configurations

Vulners

NVD

Node

dspacedspaceRange6.0–6.4

dspacedspaceRange4.0–5.11

CPENameOperatorVersion
duraspace:dspaceduraspace dspacele5.10
duraspace:dspaceduraspace dspacelt6.4

CPE	Name	Operator	Version
duraspace:dspace	duraspace dspace	le	5.10
duraspace:dspace	duraspace dspace	lt	6.4

CNA Affected

[
  {
    "product": "DSpace",
    "vendor": "DSpace",
    "versions": [
      {
        "status": "affected",
        "version": ">= 6.0, < 6.4"
      },
      {
        "status": "affected",
        "version": ">= 4.0, < 5.11"
      }
    ]
  }
]