Miggo Logo

CVE-2021-41189: Communities and collections administrators can escalate their privilege up to system administrator

7.2

CVSS Score
3.1

Basic Information

EPSS Score
0.6872%
Published
11/1/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.dspace:dspace-apimaven>= 7.0, < 7.17.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from how group parent objects were resolved. The pre-patch code in GroupServiceImpl.java's getParentObject() checked for ANY resource policy with DEFAULT_ITEM_READ/DEFAULT_BITSTREAM_READ on a collection, then returned the first matching collection. This allowed attackers to associate the system admin group with a collection they controlled via crafted policies. The fix introduced filtering using getDefaultReadGroupName() to ensure only legitimate default read groups (with properly formatted names) are linked, closing the escalation path. The commit message and CWE-863 alignment confirm this was an authorization bypass via improper policy association.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *ny *ommunity or *oll**tion **ministr*tor **n *s**l*t* t**ir p*rmission up to ***om* syst*m **ministr*tor. T*is vuln*r**ility only *xist** in *.* *n* *o*s not imp**t *.x or **low. ### P*t***s *ix is in*lu*** in [*.*](*ttps://*it*u*.*om/*

Reasoning

T** vuln*r**ility st*mm** *rom *ow *roup p*r*nt o*j**ts w*r* r*solv**. T** pr*-p*t** *o** in *roupS*rvi**Impl.j*v*'s **tP*r*ntO*j**t() ****k** *or *NY r*sour** poli*y wit* ****ULT_IT*M_R***/****ULT_*ITSTR**M_R*** on * *oll**tion, t**n r*turn** t** *i