CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
55.1%
ItemImportServiceImpl is vulnerable to a path traversal vulnerability. This means a malicious SAF (simple archive format) package could cause a file/directory to be created anywhere the Tomcat/DSpace user can write to on the server. However, this path traversal vulnerability is only possible by a user with special privileges (either Administrators or someone with command-line access to the server). This vulnerability impacts the XMLUI, JSPUI and command-line.
This vulnerability does NOT impact 7.x.
DSpace 6.x:
DSpace 5.x:
If at all possible, we recommend upgrading your DSpace site based on the upgrade instructions. However, if you are unable to do so, you can manually apply the above patches as follows:
[dspace-src]
folder, apply the patch, e.g. git apply [name-of-file].patch
mvn -U clean package
(This will recompile all DSpace code)ant update
(This will copy all updated WARs / configs to your installation directory). Depending on your setup you also may need to copy the updated WARs over to your Tomcat webapps folder.As a basic workaround, you may block all access to the following URL paths:
/admin/batchimport
path (this is the URL of the Admin Batch Import tool). Keep in mind, if your site uses the path “/xmlui”, then you’d need to block access to /xmlui/admin/batchimport
./dspace-admin/batchimport
path (this is the URL of the Admin Batch Import tool). Keep in mind, if your site uses the path “/jspui”, then you’d need to block access to /jspui/dspace-admin/batchimport
.Keep in mind, only an Administrative user or a user with command-line access to the server is able to import/upload SAF packages. Therefore, assuming those users do not blindly upload untrusted SAF packages, then it is unlikely your site could be impacted by this vulnerability.
If you have any questions or comments about this advisory: