DSpace 4.x, 5.x, 6.x Security Notice (JSPUI)
Kim Shepherd
All,
Recently, several security vulnerabilities were discovered in the JSPUI .
WE RECOMMEND ALL JSPUI-based SITES UPGRADE TO EITHER DSPACE 6.3, 5.9 or 4.9 to ensure your site is secure, or manually patch your site using the tickets detailed below. (Please note that the DSpace 6.3 and 5.9 releases also include bug fixes to those platforms.)
- DSpace 6.3
- DSpace 5.9
- DSpace 4.9
Vulnerabilities affecting the JSPUI:
- [HIGH SEVERITY] A user can inject malicious Javascript into the names of EPeople or Groups. This is most severe in sites which allow anyone to register for a new account. (https://jira.duraspace.org/browse/DS-3866 - requires a JIRA account to access.) Discovered by Julio Brafman
- [MEDIUM SEVERITY] Any user was able to export metadata to CSV format if they knew the correct JSPUI path/parameters. Additionally, the exported CSV included metadata fields which are flagged as hidden in configuration. (https://jira.duraspace.org/browse/DS-3840 - requires a JIRA account to access.) Discovered by Eike Kleiner (ZHAW, Zurich University of Applied Sciences)
As these vulnerabilities are now considered "public", questions may be asked on our DSpace Tech Support mailing list (https://groups.google.com/forum/#!forum/dspace-tech) or on the tickets themselves. As noted above, each of the tickets requires a DuraSpace JIRA account to access at this time. If you do not yet have an account, you may request one by emailing sysa...@duraspace.org.
We also welcome private security reports, concerns or questions via our security contact address (secu...@dspace.org).
Sincerely,
Kim Shepherd (on behalf of DSpace committers)