DSpace XML External Entity Injection Vulnerability in Simple Archive Format Imports

A vulnerability allowing XML External Entity (XXE) injection has been identified in DSpace repository software, affecting all versions prior to 7.6.4, 8.2, and 9.1. This vulnerability arises because external entities are not disabled when XML files are parsed during the import of archives in Simple Archive Format (SAF). This issue can be exploited through the command-line import or the 'Batch Import (Zip)' feature in the user interface. Additionally, the vulnerability extends to XML responses from certain upstream services (ArXiv, Crossref, OpenAIRE, Creative Commons) used in external source imports via the user interface or REST API. An attacker could exploit this vulnerability to access sensitive local files readable by the Tomcat user, inject content into metadata fields, or execute request forgery attacks to obtain secrets from authenticated services.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive files and information, including DSpace administrator credentials, which could be used to exploit the vulnerability via the Batch Import feature.

Reproduction

The vulnerability can be reproduced by importing a SAF archive that contains a malicious payload exploiting the XXE vulnerability, or by using the 'Import from External Sources' feature with a service that delivers such a payload.

Remediation

Users can upgrade to DSpace versions 7.6.4, 8.2, or 9.1. For those unable to upgrade immediately, it is possible to manually apply a patch available in the DSpace GitHub repository.