CVE-2022-31195

Name of the Vulnerable Software and Affected Versions DSpace versions prior to 5.11 DSpace versions prior to 6.4

Description The ItemImportServiceImpl in DSpace is vulnerable to a path traversal vulnerability, allowing a malicious SAF package to create files or directories anywhere the Tomcat/DSpace user can write to on the server. This vulnerability is only possible by a user with special privileges, such as Administrators or those with command-line access to the server. It impacts the XMLUI, JSPUI, and command-line. Users can block access to specific URL paths as a basic workaround: /admin/batchimport for XMLUI and /dspace-admin/batchimport for JSPUI, considering the site's path usage.

Recommendations Upgrade to DSpace version 5.11 or later for DSpace 5.x Upgrade to DSpace version 6.4 or later for DSpace 6.x As a temporary workaround, block all access to the following URL paths: If using XMLUI, block access to /admin/batchimport path If using JSPUI, block access to /dspace-admin/batchimport path Manually apply the patch files provided for DSpace 5.x and 6.x if an immediate upgrade is not possible.