Kshepherdtodspace-8_X

**Name of the Vulnerable Software and Affected Versions** DSpace versions prior to 7.6.4 DSpace versions prior to 8.2 DSpace versions prior to 9.1 **Description** DSpace is a repository application providing access to digital resources. A path traversal issue exists during the import of an archive in Simple Archive Format (SAF), accessible via the command-line (`./dspace import` command) or the "Batch Import (Zip)" user interface. An attacker can create a malicious SAF package where the `contents` file references system files using relative traversal sequences, potentially leading to the disclosure of sensitive content, including arbitrary files or configurations from the server. The SAF importer/Batch Import (Zip) feature is restricted to site and system administrators, requiring administrator trust and initiation of the import process to exploit this issue. **Recommendations** Upgrade to DSpace version 7.6.4 or later. Upgrade to DSpace version 8.2 or later. Upgrade to DSpace version 9.1 or later. Administrators must carefully inspect any SAF archives they did not construct themselves before importing, paying close attention to the `contents` file to validate it does not reference files outside of the SAF archives.