Impact Two related XXE injection possibilities have been discovered, impacting all versions of DSpace prior to 7.6.4, 8.2 and 9.1. External entities are not disabled when parsing XML files during import of an archive (in Simple Archive Format), either from command-line (./dspace import command) or from the "Batch Import (Zip)" user interface feature. (Likely impacts all versions of DSpace 1.x <= 7.6.3, 8.0 <= 8.1, and 9.0) External entities are also not explicitly disabled when parsing XML responses from some upstream services (ArXiv, Crossref, OpenAIRE, Creative Commons) used in import from external sources via the user interface or REST API. (Impacts all versions of DSpace 7.0 <= 7.6.3, 8.0 <= 8.1 and 9.0) An XXE injection in these files may result in a connection being made to an attacker's site or a local path readable by the Tomcat user, with content potentially being injected into a metadata field. In the latter case, this may result in sensitive content disclosure, including retrieving arbitrary files or configurations from the server where DSpace is running or content from remote URLs. The ability to include content from a remote URL could result in a request forgery attack, and disclosure of sensitive information in the response. The Simple Archive Format (SAF) importer / Batch Import (Zip) is only usable by site administrators (from user interface / REST API) or system administrators (from command-line). Therefore, to exploit this vulnerability, the malicious…Read More