Advisories for Maven/Org.dspace/Dspace-Api package

2025

DSpace is vulnerable to XML External Entity injection during archive imports

Two related XXE injection possibilities have been discovered, impacting all versions of DSpace prior to 7.6.4, 8.2 and 9.1. External entities are not disabled when parsing XML files during import of an archive (in Simple Archive Format), either from command-line (./dspace import command) or from the "Batch Import (Zip)" user interface feature. (Likely impacts all versions of DSpace 1.x <= 7.6.3, 8.0 <= 8.1, and 9.0) External entities are also …

DSpace is vulnerable to Path Traversal attacks when importing packages using Simple Archive Format

A path traversal vulnerability is possible during the import of an archive (in Simple Archive Format), either from command-line (./dspace import command) or from the "Batch Import (Zip)" user interface feature. This vulnerability likely impacts all versions of DSpace 1.x <= 7.6.3, 8.0 <= 8.1, and 9.0. An attacker may craft a malicious Simple Archive Format (SAF) package where the contents file references any system files (using relative traversal sequences) …

2022

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

DSpace open source software is a repository application which provides durable access to digital resources. In affected versions the ItemImportServiceImpl is vulnerable to a path traversal vulnerability. This means a malicious SAF (simple archive format) package could cause a file/directory to be created anywhere the Tomcat/DSpace user can write to on the server. However, this path traversal vulnerability is only possible by a user with special privileges (either Administrators or …

2021

Incorrect Authorization

DSpace is an open source turnkey repository application. In version 7.0, any community or collection administrator can escalate their permission up to become system administrator. This vulnerability only exists in 7.0 and does not impact 6.x or below. This issue is patched in version 7.1. As a workaround, users of 7.0 may temporarily disable the ability for community or collection administrators to manage permissions or workflows settings.