DSpace Path Traversal Vulnerability in SAF Import Allowing Sensitive File Disclosure

A path traversal vulnerability has been identified in DSpace repository software versions 1.x prior to 7.6.4, 8.0 prior to 8.2, and 9.0. This vulnerability occurs during the import of archives in Simple Archive Format (SAF), either via the command-line import function or through the Batch Import (Zip) feature in the user interface. The issue arises because an attacker can create a malicious SAF package that references system files readable by the Tomcat user, using relative traversal sequences. When such a package is imported, it can lead to unauthorized access to sensitive files or configurations on the server where DSpace is hosted. The vulnerability is only exploitable by site or system administrators, who must be convinced to import the malicious archive.

Impact

Exploitation of this vulnerability could result in the unauthorized disclosure of sensitive files or configurations from the server, potentially including DSpace administrator credentials, which could be used to further exploit the application.

Reproduction

To reproduce this vulnerability, create a SAF package that includes a 'contents' file referencing system files accessible by the Tomcat user, using relative paths to traverse the file system. This package can then be imported using the DSpace command-line interface or through the Batch Import feature in the DSpace user interface, both of which are available to administrators.

Remediation

Users can upgrade to DSpace versions 7.6.4, 8.2, or 9.1, where this vulnerability has been patched. For those unable to upgrade immediately, a manual patch is available and can be applied by downloading the appropriate patch file, applying it to the DSpace backend, and then updating the DSpace site.