Impact A path traversal vulnerability is possible during the import of an archive (in Simple Archive Format), either from command-line (./dspace import command) or from the "Batch Import (Zip)" user interface feature. This vulnerability likely impacts all versions of DSpace 1.x <= 7.6.3, 8.0 <= 8.1, and 9.0. An attacker may craft a malicious Simple Archive Format (SAF) package where the contents file references any system files (using relative traversal sequences) which are readable by the Tomcat user. If such a package is imported, this will result in sensitive content disclose, including retrieving arbitrary files or configurations from the server where DSpace is running. The Simple Archive Format (SAF) importer / Batch Import (Zip) is only usable by site administrators (from user interface / REST API) or system administrators (from command-line). Therefore, to exploit this vulnerability, the malicious payload would have to be provided by an attacker and trusted by an administrator (who would trigger the import). * The most severe practical impact is a case where an attacker obtains DSpace administrator credentials and uses the Batch Import feature with a malicious SAF archive to expose sensitive local files readable by the Tomcat user. * An attacker without administrative credentials might use some other tactic to convince an administrator to import a malicious SAF archive they have supplied. Patches The fix is included in DSpace 7.6.4, 8.2 and 9.1. Please upgrade to…Read More
DSpace is vulnerable to Path Traversal attacks when importing packages using Simple Archive Format
