All Versions
- DSpace 7.x (Current Release)
- DSpace 8.x (Unreleased)
- DSpace 6.x (EOL)
- DSpace 5.x (EOL)
- More Versions...
...
Note | ||
---|---|---|
| ||
DSpace 4.3 contains security fixes for both the XMLUI and JSPUI. To ensure your 4.x site is secure, we highly recommend all DSpace 4.x users upgrade to DSpace 4.3. We also highly recommend removing any "allowLinking=true" settings from your Tomcat's <Context> settingsconfiguration. Previously our installation documentation erroneously listed examples which included "allowLinking=true", while the Tomcat documentation lists it as a possible security concern. The XMLUI Directory Traversal Vulnerability (see below) is also exacerbated by this setting. |
...
[HIGH SEVERITY] XMLUI Directory Traversal Vulnerabilities (DS-2445 - requires a JIRA account to access for two weeks, and then will be public): These vulnerabilities allow someone to potentially access any file on your local filesystem which is readable to the Tomcat user account. This includes files which are unrelated to DSpace or Tomcat, but are readable to all users on the filesystem (e.g. /etc/passwd, /etc/hosts, etc.). This also includes Tomcat configuration files (which may or may not contain passwords). These vulnerabilities have existed since DSpace 1.5.2.
Discovered by: Khalil Shreateh, with additional (related) vulnerabilities discovered by the DSpace Committer Team
...