High-severity level InfoSec vulnerabilities in Dataverse v. 6.0

34 views
Skip to first unread message

edwin law

unread,
Nov 26, 2025, 7:58:48 PM (2 days ago) Nov 26
to Dataverse Users Community
Hi everyone

Our central IT conducted a Web Application InfoSec scan on our Dataverse platform and detected 23 high-severity level vulnerabilities. Details are as follows:

- Dataverse platform: V. 6.0 build 1512-366fd41
- OS: Red Hat Enterprise Linux 8.10
- OpenJDK: Red Hat-17.0.16+8-LTS
- Payara Glassfish: v. 6
- PostgreSQL: v. 13.21
- Solr: v. 9.3.0

- Scanning tool: Micro Focus WebInspect

The High-severity vulnerabilities are listed in the attachment.

As the issues are mostly related to the Dataverse forms, we cannot modify the program to address the security issues. We would like to know whether similar InfoSec issues are found in your Dataverse environment. And how the issues can be fixed. 

Many thanks
Edwin
InfoSec High-severity issues (DEV).png

James Myers

unread,
Nov 27, 2025, 6:42:42 AM (yesterday) Nov 27
to dataverse...@googlegroups.com

Edwin – thanks for reaching out. The community and the Dataverse core team are very interested in continually improving Dataverse’s security.

 

Here are several quick notes:

 

The general guidance on security matters is:

 

As noted in the Dataverse Guides, we generally recommend staying current with Dataverse releases and encourage installations to add contact emails to the installation spreadsheet (which is accessible via the guides link earlier in this sentence) to receive security notices. Any security concerns can be reported to secu...@dataverse.org .

 

Looking quickly at the image you sent, I’m confused – Dataverse doesn’t use LDAP or NoSQL/MongoDB – which makes me wonder if some of these are false positives. If not, it is likely that we will need more information to assess them. Contacting secu...@dataverse.org would probably be the best way to start that discussion and if you have more information you can share beyond the image, please send it.

 

Lastly, today is a holiday in the US and most people won’t be back until Monday, so responses will be limited for a few days.

 

-- Jim

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/dataverse-community/0555bef9-32ba-445e-8fbc-d49730526215n%40googlegroups.com.

edwin law

unread,
Nov 27, 2025, 11:09:38 PM (15 hours ago) Nov 27
to Dataverse Users Community
Hi Jim

Thank you for your comments. We installed the Dataverse latest version 6.8 on our production platform (the one which was scanned by WebInspect is of version 6.0 on the staging environment). 

I agree with you regarding the possible false positive cases. We will filter out the false positive cases and report remaining issues (if any) to secu...@dataverse.org. Thanks again for striving to improve Dataverse's security.

Best regards
Edwin
Reply all
Reply to author
Forward
0 new messages