7.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-41189

GHSA ID

GHSA-cf2j-vf36-c6w8

EPSS Score

0.6872%

CWE

CWE-863

Published

11/1/2021

Updated

2/1/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-41189

CVE-2021-41189: Communities and collections administrators can escalate their privilege up to system administrator

Impact

Any community or collection administrator can escalate their permission up to become system administrator.

This vulnerability only existed in 7.0 and does not impact 6.x or below.

Patches

Fix is included in 7.1. Please upgrade to 7.1 at your earliest convenience.

Workarounds

In 7.0, temporarily disable the ability for community or collection administrators to manage permissions or workflows settings, i.e. set the following properties in your local.cfg / dspace.cfg file

core.authorization.collection-admin.policies = false
core.authorization.community-admin.policies = false
core.authorization.community-admin.collection.workflows = false

Once upgraded to 7.1, these settings can be safely reverted to the default values of true.

References

Discovered during investigation of https://github.com/DSpace/DSpace/issues/7928

For more information

If you have any questions or comments about this advisory:

Email us at security@dspace.org

(GitHub Advisory)

7.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-41189

GHSA ID

GHSA-cf2j-vf36-c6w8

EPSS Score

0.6872%

CWE

CWE-863

Published

11/1/2021

Updated

2/1/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.dspace:dspace-api	maven	>= 7.0, < 7.1	7.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from how group parent objects were resolved. The pre-patch code in GroupServiceImpl.java's getParentObject() checked for ANY resource policy with DEFAULT_ITEM_READ/DEFAULT_BITSTREAM_READ on a collection, then returned the first matching collection. This allowed attackers to associate the system admin group with a collection they controlled via crafted policies. The fix introduced filtering using getDefaultReadGroupName() to ensure only legitimate default read groups (with properly formatted names) are linked, closing the escalation path. The commit message and CWE-863 alignment confirm this was an authorization bypass via improper policy association.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *ny *ommunity or *oll**tion **ministr*tor **n *s**l*t* t**ir p*rmission up to ***om* syst*m **ministr*tor. T*is vuln*r**ility only *xist** in *.* *n* *o*s not imp**t *.x or **low. ### P*t***s *ix is in*lu*** in [*.*](*ttps://*it*u*.*om/*

Reasoning

T** vuln*r**ility st*mm** *rom *ow *roup p*r*nt o*j**ts w*r* r*solv**. T** pr*-p*t** *o** in *roupS*rvi**Impl.j*v*'s **tP*r*ntO*j**t() ****k** *or *NY r*sour** poli*y wit* ****ULT_IT*M_R***/****ULT_*ITSTR**M_R*** on * *oll**tion, t**n r*turn** t** *i

7.2

Basic Information

Concerned about an active attack path?

CVE-2021-41189: Communities and collections administrators can escalate their privilege up to system administrator

Impact

Patches

Workarounds

References

For more information

7.2

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI