CVE-2021-41189: Communities and collections administrators can escalate their privilege up to system administrator
7.2
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.6872%
CWE
Published
11/1/2021
Updated
2/1/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.dspace:dspace-api | maven | >= 7.0, < 7.1 | 7.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from how group parent objects were resolved. The pre-patch code in GroupServiceImpl.java's getParentObject() checked for ANY resource policy with DEFAULT_ITEM_READ/DEFAULT_BITSTREAM_READ on a collection, then returned the first matching collection. This allowed attackers to associate the system admin group with a collection they controlled via crafted policies. The fix introduced filtering using getDefaultReadGroupName() to ensure only legitimate default read groups (with properly formatted names) are linked, closing the escalation path. The commit message and CWE-863 alignment confirm this was an authorization bypass via improper policy association.