Page History
...
This release addresses the following security issues discovered in DSpace 3.x and below:
- XMLUI Security Fixes
[HIGH SEVERITY: ] XMLUI Directory Traversal Vulnerabilities (DS-2445 - requires a JIRA account to access): These vulnerabilities allow a hacker to potentially access any file on your local filesystem which is readable to the Tomcat user account. This includes files which are unrelated to DSpace or Tomcat, but are readable to all users on the filesystem (e.g. /etc/passwd, /etc/hosts, etc.). This vulnerability has existed since DSpace 1.5.2.
Discovered by: Khalil Shreateh, with additional (related) vulnerabilities discovered by the DSpace Committer Team
- We also highly recommend immediately removing any "allowLinking=true" settings from your Tomcat <Context>s. For most configurations, this provides a "quick fix" to the most severe directory traversal vulnerability, and the Tomcat documentation lists it as a possible security concern. However, you still must upgrade or patch your DSpace in order to completely patch your DSpace.
- JSPUI Security Fixes
- [MEDIUM SEVERITY: ] JSPUI Directory Traversal Vulnerability (DS-2448 - requires a JIRA account to access): This vulnerability allows a hacker to potentially access any file within the JSPUI web application directory (e.g. WEB-INF/web.xml). This vulnerability is believed to have existed in all prior versions of DSpace.
- Discovered by Khalil Shreateh
- Discovered by Khalil Shreateh
- [LOW SEVERITY: ] Cross-site scripting (XSS injection) is possible in JSPUI Recent Submissions listings (DS-1702 - requires a JIRA account to access): This potential vulnerability could allow a depositor/submitter to embed javascript code into the metadata of a new submission, thus causing that code to be run across other user accounts. However, this vulnerability is only possible by someone with privileges to add content to your DSpace site. This vulnerability has existed since DSpace 1.5.x.
- Discovered by: Jean-Paul Zhao of University of Toronto
- Discovered by: Jean-Paul Zhao of University of Toronto
- [LOW SEVERITY: ] Cross-site scripting (XSS injection) is possible in JSPUI Discovery search form (DS-2044 - requires a JIRA account to access): This potential vulnerability could allow someone searching your site to embed HTML or Javascript into the JSPUI search form, causing it to run in their own browser. However, as those searches are not saved, they would not be run across other user accounts. This vulnerability has existed since DSpace 3.x
- 4.x / 5.x vulnerability discovered by Gabriela Mircea of McMaster University and Khalil Shreateh
- 3.x vulnerability discovered by İlyas Orak of Biznet Bilisim A.S.
- [MEDIUM SEVERITY: ] JSPUI Directory Traversal Vulnerability (DS-2448 - requires a JIRA account to access): This vulnerability allows a hacker to potentially access any file within the JSPUI web application directory (e.g. WEB-INF/web.xml). This vulnerability is believed to have existed in all prior versions of DSpace.
...
Overview
Content Tools