8.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-31194

GHSA ID

GHSA-qp5m-c3m9-8q2p

EPSS Score

0.31528%

CWE

CWE-22

Published

8/6/2022

Updated

1/27/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-31194

CVE-2022-31194: JSPUI vulnerable to path traversal in submission (resumable) upload

Impact

The JSPUI resumable upload implementations in SubmissionController and FileUploadRequest are vulnerable to multiple path traversal attacks, allowing an attacker to create files/directories anywhere on the server writable by the Tomcat/DSpace user, by modifying some request parameters during submission. This path traversal can only be executed by a user with special privileges (submitter rights). This vulnerability only impacts the JSPUI.

This vulnerability does NOT impact the XMLUI or 7.x.

Patches

DSpace 6.x:

Fixed in 6.4 via commit: https://github.com/DSpace/DSpace/commit/7569c6374aefeafb996e202cf8d631020eda5f24
6.x patch file: https://github.com/DSpace/DSpace/commit/7569c6374aefeafb996e202cf8d631020eda5f24.patch (may be applied manually if an immediate upgrade to 6.4 or above is not possible)

DSpace 5.x:

Fixed in 5.11 via commit: https://github.com/DSpace/DSpace/commit/d1dd7d23329ef055069759df15cfa200c8e3
5.x patch file: https://github.com/DSpace/DSpace/commit/d1dd7d23329ef055069759df15cfa200c8e3.patch (may be applied manually if an immediate upgrade to 5.11 or 6.4 is not possible)

Apply the patch to your DSpace

If at all possible, we recommend upgrading your DSpace site based on the upgrade instructions. However, if you are unable to do so, you can manually apply the above patches as follows:

Download the appropriate patch file to the machine where DSpace is running
From the [dspace-src] folder, apply the patch, e.g. git apply [name-of-file].patch
Now, update your DSpace site (based loosely on the Upgrade instructions). This generally involves three steps:
1. Rebuild DSpace, e.g. mvn -U clean package (This will recompile all DSpace code)
2. Redeploy DSpace, e.g. ant update (This will copy all updated WARs / configs to your installation directory). Depending on your setup you also may need to copy the updated WARs over to your Tomcat webapps folder.
3. Restart Tomcat

Workarounds

There are no known workarounds. However, this vulnerability cannot be exploited by an anonymous user or a basic user. The user must first have submitter privileges to at least one Collection and be able to determine how to modify the request parameters to exploit the vulnerability.

References

Discovered & reported by Johannes Moritz of Ripstech

For more information

If you have any questions or comments about this advisory:

Email us at security@dspace.org

(GitHub Advisory)

8.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-31194

GHSA ID

GHSA-qp5m-c3m9-8q2p

EPSS Score

0.31528%

CWE

CWE-22

Published

8/6/2022

Updated

1/27/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.dspace:dspace-jspui	maven	>= 4.0, < 5.11	5.11
org.dspace:dspace-jspui	maven	>= 6.0, < 6.4	6.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key areas: 1) In SubmissionController.java, the DoGetResumable method directly used user-controlled 'resumableIdentifier' to construct tempDir paths without canonical path validation. 2) In FileUploadRequest.java, the constructor similarly used untrusted parameters to build file paths. Both locations lacked the critical security check added in the patch (getCanonicalPath().startsWith(baseDir)) to prevent directory traversal. The commit diffs explicitly show these functions were modified to add path validation, confirming they were the vulnerable entry points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** JSPUI r*sum**l* uplo** impl*m*nt*tions in Su*mission*ontroll*r *n* *il*Uplo**R*qu*st *r* vuln*r**l* to multipl* p*t* tr*v*rs*l *tt**ks, *llowin* *n *tt**k*r to *r**t* *il*s/*ir**tori*s *nyw**r* on t** s*rv*r writ**l* *y t** Tom**t/*Sp*

Reasoning

T** vuln*r**ility st*ms *rom two k*y *r**s: *) In `Su*mission*ontroll*r.j*v*`, t** `*o**tR*sum**l*` m*t*o* *ir**tly us** us*r-*ontroll** 'r*sum**l*I**nti*i*r' to *onstru*t `t*mp*ir` p*t*s wit*out **noni**l p*t* v*li**tion. *) In `*il*Uplo**R*qu*st.j*

8.2

Basic Information

Concerned about an active attack path?

CVE-2022-31194: JSPUI vulnerable to path traversal in submission (resumable) upload

Impact

Patches

Apply the patch to your DSpace

Workarounds

References

For more information

8.2

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI