SECURITY NOTICE: DSpace 7.x - 9.x versions have vulnerabilities in COAR Notify, Curation Tasks and OAI-ORE harvesting.

47 views
Skip to first unread message

DSpace Technical Support

unread,
Jun 1, 2026, 12:14:51 PM (2 days ago) Jun 1
to DSpace Technical Support

All,


Four DSpace backend security advisories have been released that impact all supported versions of DSpace 7.x - 9.x. These vulnerabilities are listed in order of severity.


GHSA-9x82-rm84-c6x7 : Remote Code Execution (RCE) possible in Velocity Templates used by LDN (Linked Data Notifications)

  • Severity: High (8.0 out of 10.0 using CVSSv3)

  • Affected Versions: 8.0 <= 8.3, 9.0 <= 9.2

  • Patched Versions: 8.4, 9.3, 10.0

  • Reported by: Pablo Picurelli Ortiz, cybersecurity student at Universidad Rey Juan Carlos 

  • Fixed by: Kim Sheperd, The Library Code

  • Patches for 8.x and 9.x are available in the security advisory for sites that cannot upgrade immediately.

  • (NOTE: A CVE ID has been requested but not yet assigned)


The attacker must have administrator privileges to perform the attack. The attack is able to be performed when chained with the “Path Traversal Vulnerability is possible in LDN message generation” vulnerability (see below). The attack is not possible when COAR Notify /  LDN is disabled.


When chained with the next vulnerability, it may be possible to execute Java directly from Velocity templates. This is a very high impact vulnerability, but it requires Administrative privileges to perform. Nonetheless, we recommend disabling LDN (“ldn.enabled = false”, which is the default value) in your local.cfg to protect against this attack until you are able to patch or upgrade your site.


GHSA-9qm4-rh6w-pq5x : Path Traversal Vulnerability is possible in LDN message generation.

  • Severity: Moderate (5.5 out of 10.0 using CVSSv3)

  • Affected Versions: 8.0 <= 8.3, 9.0 <= 9.2

  • Patched Versions: 8.4, 9.3, 10.0

  • Reported by: Pablo Picurelli Ortiz, cybersecurity student at Universidad Rey Juan Carlos 

  • Fixed by: Kim Sheperd, The Library Code

  • Patches for 8.x and 9.x are available in the security advisory for sites that cannot upgrade immediately.

  • (NOTE: A CVE ID has been requested but not yet assigned)


A path traversal vulnerability is possible via the COAR Notify / LDN service in DSpace. The attacher must already have administrator privileges to perform the attack.  This attack may be chained with other attacks (such as the RCE vulnerability listed above) to exploit additional related weaknesses. This form of attack chaining is non-trivial but proven. The attack is not possible when COAR Notify /  LDN is disabled.


Standalone, this vulnerability is less severe (unless chained with additional weaknesses). Nonetheless, we recommend disabling LDN (“ldn.enabled = false”, which is the default value) in your local.cfg to protect against this attack until you are able to patch or upgrade your site.



GHSA-v66x-68f2-pxf5 : Path Traversal Vulnerability is possible in Curation Task Reporter output path.

  • Severity: Moderate (5.5 out of 10.0 using CVSSv3)

  • Affected Versions: <= 7.6.6, 8.0 <= 8.3, 9.0 <= 9.2

  • Patched Versions: 7.6.7, 8.4, 9.3, 10.0

  • Reported by: Pablo Picurelli Ortiz, cybersecurity student at Universidad Rey Juan Carlos 

  • Fixed by: Kim Sheperd, The Library Code

  • Patches for 7.x, 8.x and 9.x are available in the security advisory for sites that cannot upgrade immediately.

  • (NOTE: A CVE ID has been requested but not yet assigned)


A path traversal vulnerability is possible in the Curation Task Reporter parameter (“-r”), typically used to stream results or the status of curation task operations. This attack can be performed by someone with Collection/Community/Site Administrator privileges, as it requires the ability to start a curation task from the web interface.


We recommend upgrading or patching your site to protect against this attack.  If you are unable to do so, you may wish to consider disabling all curation tasks (see security advisory for details). However, disabling all curation tasks may not be acceptable to sites that regularly use or schedule various tasks via the “dspace curate” command.


GHSA-c827-pw3m-67w7 : ORE resource URI does not validate scheme for non-web resources when harvesting OAI content

  • Severity: Moderate (4.4 out of 10.0 using CVSSv3)

  • Affected Versions: <= 7.6.6, 8.0 <= 8.3, 9.0 <= 9.2

  • Patched Versions: 7.6.7, 8.4, 9.3, 10.0

  • Reported by: Pablo Picurelli Ortiz, cybersecurity student at Universidad Rey Juan Carlos 

  • Fixed by: Kim Sheperd, The Library Code

  • Patches for 7.x, 8.x and 9.x are available in the security advisory for sites that cannot upgrade immediately.

  • (NOTE: A CVE ID has been requested but not yet assigned)


When ingesting an aggregated ORE resource by URI (using the OAI-ORE Harvester), the ORE Ingestion Crosswalk does not validate the URI scheme. This may allow for local file inclusion via malicious paths like file:///etc/passwd.  The attacker MUST already have DSpace collection administrator privileges in order to perform the attack. 


We recommend upgrading or patching your site to protect against this attack.  If you are unable to do so, you may wish to consider disabling the OREIngestionCrosswalk (see security advisory for details).


We recommend that all DSpace sites immediately apply workarounds, patches or upgrade to 7.6.7, 8.4, 9.3 or 10.0.  While all of these vulnerabilities require some level of administrative privileges, all have been proven via a “proof of concept” attack.


If you have any questions about this security advisory, please email secu...@dspace.org. This email address sends a private email to all DSpace Committers.


Sincerely,


Tim Donohue, on behalf of the DSpace Committers


Reply all
Reply to author
Forward
0 new messages