Question about CWE-74 findings and infosec discussions
21 views
Skip to first unread message
Marcelo Garcia
May 25, 2025, 1:08:23 PM5/25/25
to DSpace Technical Support
Dear DSpace community,
I hope everyone is doing well! I'm reaching out because our information security team has flagged what they believe is a potential vulnerability in DSpace 7.2 related to CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component).
Here's what they've identified:
The team discovered that DSpace handles two comment sequences differently:
- The invalid sequence `*/_/*` is not being filtered out and gets processed
- The correct sequence `/*_*/` is properly filtered, returning the same result as input without payload
Since the outputs differ between these two cases, our infosec team is treating this as a potential injection vulnerability (similar to SQL injection concerns), even though the different responses don't immediately appear to constitute an actual security risk.
I'm wondering if anyone in the community has encountered similar findings from their security teams and how you approached the discussion? Any insights on whether this represents a genuine security concern or guidance on how to address it with infosec would be greatly appreciated.
Thanks so much for your time and expertise!
Best regards,
I hope everyone is doing well! I'm reaching out because our information security team has flagged what they believe is a potential vulnerability in DSpace 7.2 related to CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component).
Here's what they've identified:
The team discovered that DSpace handles two comment sequences differently:
- The invalid sequence `*/_/*` is not being filtered out and gets processed
- The correct sequence `/*_*/` is properly filtered, returning the same result as input without payload
Since the outputs differ between these two cases, our infosec team is treating this as a potential injection vulnerability (similar to SQL injection concerns), even though the different responses don't immediately appear to constitute an actual security risk.
I'm wondering if anyone in the community has encountered similar findings from their security teams and how you approached the discussion? Any insights on whether this represents a genuine security concern or guidance on how to address it with infosec would be greatly appreciated.
Thanks so much for your time and expertise!
Best regards,
Marcelo
Reply all
Reply to author
Forward
0 new messages