cvelistv5 - cve-2024-38364

CVE-2024-38364 (GCVE-0-2024-38364)

Vulnerability from cvelistv5 – Published: 2024-06-25 23:45 – Updated: 2024-08-02 04:04

Title

DSpace Cross Site Scripting (XSS) via a deposited HTML/XML document

Summary

DSpace is an open source software is a turnkey repository application used by more than 2,000 organizations and institutions worldwide to provide durable access to digital resources. In DSpace 7.0 through 7.6.1, when an HTML, XML or JavaScript Bitstream is downloaded, the user's browser may execute any embedded JavaScript. If that embedded JavaScript is malicious, there is a risk of an XSS attack. This vulnerability has been patched in version 7.6.2.

Severity ?

2.6 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/DSpace/DSpace/security/advisor…	x_refsource_CONFIRM
	https://github.com/DSpace/DSpace/pull/8891	x_refsource_MISC
	https://github.com/DSpace/DSpace/pull/9638	x_refsource_MISC
	https://github.com/DSpace/DSpace/commit/f1059b434…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	DSpace	DSpace	Affected: >= 7.0, < 7.6.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-38364",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-28T17:36:26.353986Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-05T17:22:48.955Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T04:04:25.278Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/DSpace/DSpace/security/advisories/GHSA-94cc-xjxr-pwvf",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/DSpace/DSpace/security/advisories/GHSA-94cc-xjxr-pwvf"
          },
          {
            "name": "https://github.com/DSpace/DSpace/pull/8891",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/DSpace/DSpace/pull/8891"
          },
          {
            "name": "https://github.com/DSpace/DSpace/pull/9638",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/DSpace/DSpace/pull/9638"
          },
          {
            "name": "https://github.com/DSpace/DSpace/commit/f1059b4340857cca3dc4c45b1ebbadce6bb61c0b",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/DSpace/DSpace/commit/f1059b4340857cca3dc4c45b1ebbadce6bb61c0b"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "DSpace",
          "vendor": "DSpace",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 7.0, \u003c 7.6.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "DSpace is an open source software is a turnkey repository application used by more than 2,000 organizations and institutions worldwide to provide durable access to digital resources. In DSpace 7.0 through 7.6.1, when an HTML, XML or JavaScript Bitstream is downloaded, the user\u0027s browser may execute any embedded JavaScript. If that embedded JavaScript is malicious, there is a risk of an XSS attack. This vulnerability has been patched in version 7.6.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 2.6,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-06-25T23:45:57.493Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/DSpace/DSpace/security/advisories/GHSA-94cc-xjxr-pwvf",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/DSpace/DSpace/security/advisories/GHSA-94cc-xjxr-pwvf"
        },
        {
          "name": "https://github.com/DSpace/DSpace/pull/8891",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/DSpace/DSpace/pull/8891"
        },
        {
          "name": "https://github.com/DSpace/DSpace/pull/9638",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/DSpace/DSpace/pull/9638"
        },
        {
          "name": "https://github.com/DSpace/DSpace/commit/f1059b4340857cca3dc4c45b1ebbadce6bb61c0b",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/DSpace/DSpace/commit/f1059b4340857cca3dc4c45b1ebbadce6bb61c0b"
        }
      ],
      "source": {
        "advisory": "GHSA-94cc-xjxr-pwvf",
        "discovery": "UNKNOWN"
      },
      "title": "DSpace Cross Site Scripting (XSS) via a deposited HTML/XML document"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-38364",
    "datePublished": "2024-06-25T23:45:57.493Z",
    "dateReserved": "2024-06-14T14:16:16.465Z",
    "dateUpdated": "2024-08-02T04:04:25.278Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"DSpace is an open source software is a turnkey repository application used by more than 2,000 organizations and institutions worldwide to provide durable access to digital resources. In DSpace 7.0 through 7.6.1, when an HTML, XML or JavaScript Bitstream is downloaded, the user\u0027s browser may execute any embedded JavaScript. If that embedded JavaScript is malicious, there is a risk of an XSS attack. This vulnerability has been patched in version 7.6.2.\"}, {\"lang\": \"es\", \"value\": \"DSpace es un software de c\\u00f3digo abierto, una aplicaci\\u00f3n de repositorio llave en mano utilizada por m\\u00e1s de 2000 organizaciones e instituciones en todo el mundo para brindar acceso duradero a recursos digitales. En DSpace 7.0 a 7.6.1, cuando se descarga un Bitstream HTML, XML o JavaScript, el navegador del usuario puede ejecutar cualquier JavaScript incrustado. Si ese JavaScript incrustado es malicioso, existe el riesgo de sufrir un ataque XSS. Esta vulnerabilidad ha sido parcheada en la versi\\u00f3n 7.6.2.\"}]",
      "id": "CVE-2024-38364",
      "lastModified": "2024-11-21T09:25:27.740",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L\", \"baseScore\": 2.6, \"baseSeverity\": \"LOW\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 1.2, \"impactScore\": 1.4}]}",
      "published": "2024-06-26T00:15:10.480",
      "references": "[{\"url\": \"https://github.com/DSpace/DSpace/commit/f1059b4340857cca3dc4c45b1ebbadce6bb61c0b\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/DSpace/DSpace/pull/8891\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/DSpace/DSpace/pull/9638\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/DSpace/DSpace/security/advisories/GHSA-94cc-xjxr-pwvf\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/DSpace/DSpace/commit/f1059b4340857cca3dc4c45b1ebbadce6bb61c0b\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/DSpace/DSpace/pull/8891\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/DSpace/DSpace/pull/9638\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/DSpace/DSpace/security/advisories/GHSA-94cc-xjxr-pwvf\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-38364\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-06-26T00:15:10.480\",\"lastModified\":\"2024-11-21T09:25:27.740\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"DSpace is an open source software is a turnkey repository application used by more than 2,000 organizations and institutions worldwide to provide durable access to digital resources. In DSpace 7.0 through 7.6.1, when an HTML, XML or JavaScript Bitstream is downloaded, the user\u0027s browser may execute any embedded JavaScript. If that embedded JavaScript is malicious, there is a risk of an XSS attack. This vulnerability has been patched in version 7.6.2.\"},{\"lang\":\"es\",\"value\":\"DSpace es un software de c\u00f3digo abierto, una aplicaci\u00f3n de repositorio llave en mano utilizada por m\u00e1s de 2000 organizaciones e instituciones en todo el mundo para brindar acceso duradero a recursos digitales. En DSpace 7.0 a 7.6.1, cuando se descarga un Bitstream HTML, XML o JavaScript, el navegador del usuario puede ejecutar cualquier JavaScript incrustado. Si ese JavaScript incrustado es malicioso, existe el riesgo de sufrir un ataque XSS. Esta vulnerabilidad ha sido parcheada en la versi\u00f3n 7.6.2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L\",\"baseScore\":2.6,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":1.2,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://github.com/DSpace/DSpace/commit/f1059b4340857cca3dc4c45b1ebbadce6bb61c0b\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/DSpace/DSpace/pull/8891\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/DSpace/DSpace/pull/9638\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/DSpace/DSpace/security/advisories/GHSA-94cc-xjxr-pwvf\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/DSpace/DSpace/commit/f1059b4340857cca3dc4c45b1ebbadce6bb61c0b\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/DSpace/DSpace/pull/8891\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/DSpace/DSpace/pull/9638\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/DSpace/DSpace/security/advisories/GHSA-94cc-xjxr-pwvf\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-38364\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-06-28T17:36:26.353986Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-05T15:20:43.991Z\"}}], \"cna\": {\"title\": \"DSpace Cross Site Scripting (XSS) via a deposited HTML/XML document\", \"source\": {\"advisory\": \"GHSA-94cc-xjxr-pwvf\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 2.6, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"DSpace\", \"product\": \"DSpace\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 7.0, \u003c 7.6.2\"}]}], \"references\": [{\"url\": \"https://github.com/DSpace/DSpace/security/advisories/GHSA-94cc-xjxr-pwvf\", \"name\": \"https://github.com/DSpace/DSpace/security/advisories/GHSA-94cc-xjxr-pwvf\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/DSpace/DSpace/pull/8891\", \"name\": \"https://github.com/DSpace/DSpace/pull/8891\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/DSpace/DSpace/pull/9638\", \"name\": \"https://github.com/DSpace/DSpace/pull/9638\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/DSpace/DSpace/commit/f1059b4340857cca3dc4c45b1ebbadce6bb61c0b\", \"name\": \"https://github.com/DSpace/DSpace/commit/f1059b4340857cca3dc4c45b1ebbadce6bb61c0b\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"DSpace is an open source software is a turnkey repository application used by more than 2,000 organizations and institutions worldwide to provide durable access to digital resources. In DSpace 7.0 through 7.6.1, when an HTML, XML or JavaScript Bitstream is downloaded, the user\u0027s browser may execute any embedded JavaScript. If that embedded JavaScript is malicious, there is a risk of an XSS attack. This vulnerability has been patched in version 7.6.2.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-06-25T23:45:57.493Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-38364\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-07-05T17:22:48.955Z\", \"dateReserved\": \"2024-06-14T14:16:16.465Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-06-25T23:45:57.493Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-94CC-XJXR-PWVF

Vulnerability from github – Published: 2024-06-25 17:07 – Updated: 2024-06-28 20:00

Summary

DSpace Cross Site Scripting (XSS) via a deposited HTML/XML document

Details

Impact

In DSpace 7.0 through 7.6.1, when an HTML, XML or JavaScript Bitstream is downloaded, the user's browser may execute any embedded JavaScript. If that embedded JavaScript is malicious, there is a risk of an XSS attack.

This attack may only be initialized by a user who already has Submitter privileges in the repository. The submitter must upload the malicious HTML/XML/JavaScript file themselves. The attack itself would not occur until a visitor or logged-in user downloads the file or clicks on a download link shared by the attacker.

If your site is running the frontend and backend from separate domains, CORS and CSRF protection built into DSpace help to limit the impact of the attack.

If the repository is configured to only download HTML / XML / JavaScript Bitstreams using the Content-Disposition: attachment header, then the attack is no longer possible. See "Workarounds" below.

Patches

The fix is included in both 8.0 and 7.6.2. Please upgrade to one of these versions, or manually apply one of the "Workarounds" below.

If you are already running 7.6 or 7.6.1, then this vulnerability can be fixed via a configuration update in your dspace.cfg configuration file. See details in below.

Workarounds

DSpace sites running 7.6 or 7.6.1 can fix this issue by adding the following webui.content_disposition_format settings to their dspace.cfg (or local.cfg). These settings force all HTML, XML, RDF & JavaScript files to always be downloaded to a user's machine, blocking the attack. For more details see PR #9638

webui.content_disposition_format = text/html
webui.content_disposition_format = text/javascript
webui.content_disposition_format = text/xml
webui.content_disposition_format = rdf

These settings will take effect immediately. There is no need to restart Tomcat.

To verify the settings are working: upload an HTML or XML file to an in-progress submission. Attempt to download the file. The file should not open in your browser window. Instead, it should download to your local computer.

DSpace sites running 7.0 through 7.5 will need to either (CHOOSE ONE): * Upgrade to 7.6.2 or 8.0 * Or, upgrade to 7.6 or 7.6.1 and then apply the configuration change mentioned above * Or, manually add the webui.content_disposition_format setting (which was first released in 7.6), and then apply the configuration changes mentioned above. * The webui.content_disposition_format setting can be added by applying the changes in PR #8891. A patch file is also available. * Please be aware this patch may not apply cleanly to all prior versions of 7.x. In that scenario, you would need to find a way to manually apply the changes or consider a different workaround. * Or, find a way in your Apache or NGinx proxy to force the Content-Disposition: attachment header to be sent for all files downloaded via /server/api/core/bitstreams/[uuid]/content in the REST API.
* NOTE: This workaround will patch the vulnerability. However, it does so by no longer allowing users to open any downloaded files in their browser window. (This behavior may or may not be desirable in the long term, so you may wish to remove it in the future, once you have upgraded.) * For example, in Apache, using "mod_headers", you may add a configuration similar to this in your <VirtualHost>: # Set "Content-Disposition: attachment" whenever path is /server/api/core/bitstreams/[uuid]/content Header set Content-Disposition attachment "expr=%{REQUEST_URI} =~ m#^/server/api/core/bitstreams/.*/content$#"

References

Discovered and reported by Muhammad Zeeshan (Xib3rR4dAr)

For more information

If you have any questions or comments about this advisory:

Email us at security@dspace.org

Severity ?

2.6 (Low)


                  
                    CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.dspace:dspace-server-webapp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0"
            },
            {
              "fixed": "7.6.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-38364"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-25T17:07:32Z",
    "nvd_published_at": "2024-06-26T00:15:10Z",
    "severity": "LOW"
  },
  "details": "### Impact\nIn DSpace 7.0 through 7.6.1, when an HTML, XML or JavaScript Bitstream is downloaded, the user\u0027s browser _may_ execute any embedded JavaScript.  If that embedded JavaScript is malicious, there is a risk of an XSS attack.\n\nThis attack may only be initialized by a user who already has Submitter privileges in the repository. The submitter must upload the malicious HTML/XML/JavaScript file themselves. The attack itself would not occur until a visitor or logged-in user downloads the file or clicks on a download link shared by the attacker.  \n\nIf your site is running the frontend and backend from separate domains, CORS and CSRF protection built into DSpace help to limit the impact of the attack.\n\nIf the repository is configured to only download HTML / XML / JavaScript Bitstreams using the [`Content-Disposition: attachment`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition) header, then the attack is no longer possible.  See \"Workarounds\" below.\n\n### Patches\nThe fix is included in both 8.0 and 7.6.2.  Please upgrade to one of these versions, or manually apply one of the \"Workarounds\" below.\n\nIf you are already running 7.6 or 7.6.1, then this vulnerability can be fixed via a configuration update in your `dspace.cfg` configuration file.  See details in below.\n\n### Workarounds\n\n**DSpace sites running 7.6 or 7.6.1** can fix this issue by adding the following `webui.content_disposition_format` settings to their `dspace.cfg` (or `local.cfg`).  These settings force all HTML, XML, RDF \u0026 JavaScript files to always be downloaded to a user\u0027s machine, blocking the attack.  For more details see [PR #9638](https://github.com/DSpace/DSpace/pull/9638)\n```\nwebui.content_disposition_format = text/html\nwebui.content_disposition_format = text/javascript\nwebui.content_disposition_format = text/xml\nwebui.content_disposition_format = rdf\n```\nThese settings will take effect immediately. There is no need to restart Tomcat.\n\nTo verify the settings are working: upload an HTML or XML file to an in-progress submission. Attempt to download the file. The file should *not* open in your browser window. Instead, it should download to your local computer.\n\n**DSpace sites running 7.0 through 7.5** will need to **either** (CHOOSE ONE):\n* Upgrade to 7.6.2 or 8.0\n* Or, upgrade to 7.6 or 7.6.1 and then apply the configuration change mentioned above\n* Or, manually add the `webui.content_disposition_format` setting (which was first released in 7.6), and then apply the configuration changes mentioned above.\n    * The `webui.content_disposition_format` setting can be added by applying the changes in [PR #8891](https://github.com/DSpace/DSpace/pull/8891).  A [`patch` file](https://github.com/DSpace/DSpace/pull/8891.patch) is also available.\n    * Please be aware this patch may not apply cleanly to all prior versions of 7.x. In that scenario, you would need to find a way to manually apply the changes or consider a different workaround.\n* Or, find a way in your Apache or NGinx proxy to force the `Content-Disposition: attachment` header to be sent for **all files** downloaded via `/server/api/core/bitstreams/[uuid]/content` in the REST API.  \n    * NOTE: This workaround will patch the vulnerability. However, it does so by no longer allowing users to open _any_ downloaded files in their browser window. (This behavior may or may not be desirable in the long term, so you may wish to remove it in the future, once you have upgraded.)\n    * For example, in Apache, using \"mod_headers\", you may add a configuration similar to this in your `\u003cVirtualHost\u003e`:\n      ```\n      # Set \"Content-Disposition: attachment\" whenever path is /server/api/core/bitstreams/[uuid]/content\n      Header set Content-Disposition attachment \"expr=%{REQUEST_URI} =~ m#^/server/api/core/bitstreams/.*/content$#\"\n      ```\n\n### References\n\nDiscovered and reported by Muhammad Zeeshan ([Xib3rR4dAr](https://github.com/Xib3rR4dAr))\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n* Email us at [security@dspace.org](mailto:security@dspace.org)",
  "id": "GHSA-94cc-xjxr-pwvf",
  "modified": "2024-06-28T20:00:56Z",
  "published": "2024-06-25T17:07:32Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/DSpace/DSpace/security/advisories/GHSA-94cc-xjxr-pwvf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38364"
    },
    {
      "type": "WEB",
      "url": "https://github.com/DSpace/DSpace/pull/8891"
    },
    {
      "type": "WEB",
      "url": "https://github.com/DSpace/DSpace/pull/9638"
    },
    {
      "type": "WEB",
      "url": "https://github.com/DSpace/DSpace/commit/f1059b4340857cca3dc4c45b1ebbadce6bb61c0b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/DSpace/DSpace"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "DSpace Cross Site Scripting (XSS) via a deposited HTML/XML document"
}

FKIE_CVE-2024-38364

Vulnerability from fkie_nvd - Published: 2024-06-26 00:15 - Updated: 2024-11-21 09:25

Severity ?

2.6 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/DSpace/DSpace/commit/f1059b4340857cca3dc4c45b1ebbadce6bb61c0b
	security-advisories@github.com	https://github.com/DSpace/DSpace/pull/8891
	security-advisories@github.com	https://github.com/DSpace/DSpace/pull/9638
	security-advisories@github.com	https://github.com/DSpace/DSpace/security/advisories/GHSA-94cc-xjxr-pwvf
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/DSpace/DSpace/commit/f1059b4340857cca3dc4c45b1ebbadce6bb61c0b
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/DSpace/DSpace/pull/8891
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/DSpace/DSpace/pull/9638
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/DSpace/DSpace/security/advisories/GHSA-94cc-xjxr-pwvf

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "DSpace is an open source software is a turnkey repository application used by more than 2,000 organizations and institutions worldwide to provide durable access to digital resources. In DSpace 7.0 through 7.6.1, when an HTML, XML or JavaScript Bitstream is downloaded, the user\u0027s browser may execute any embedded JavaScript. If that embedded JavaScript is malicious, there is a risk of an XSS attack. This vulnerability has been patched in version 7.6.2."
    },
    {
      "lang": "es",
      "value": "DSpace es un software de c\u00f3digo abierto, una aplicaci\u00f3n de repositorio llave en mano utilizada por m\u00e1s de 2000 organizaciones e instituciones en todo el mundo para brindar acceso duradero a recursos digitales. En DSpace 7.0 a 7.6.1, cuando se descarga un Bitstream HTML, XML o JavaScript, el navegador del usuario puede ejecutar cualquier JavaScript incrustado. Si ese JavaScript incrustado es malicioso, existe el riesgo de sufrir un ataque XSS. Esta vulnerabilidad ha sido parcheada en la versi\u00f3n 7.6.2."
    }
  ],
  "id": "CVE-2024-38364",
  "lastModified": "2024-11-21T09:25:27.740",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 2.6,
          "baseSeverity": "LOW",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-06-26T00:15:10.480",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/DSpace/DSpace/commit/f1059b4340857cca3dc4c45b1ebbadce6bb61c0b"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/DSpace/DSpace/pull/8891"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/DSpace/DSpace/pull/9638"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/DSpace/DSpace/security/advisories/GHSA-94cc-xjxr-pwvf"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/DSpace/DSpace/commit/f1059b4340857cca3dc4c45b1ebbadce6bb61c0b"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/DSpace/DSpace/pull/8891"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/DSpace/DSpace/pull/9638"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/DSpace/DSpace/security/advisories/GHSA-94cc-xjxr-pwvf"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-38364 (GCVE-0-2024-38364)

GHSA-94CC-XJXR-PWVF

Impact

Patches

Workarounds

References

For more information

FKIE_CVE-2024-38364

Tags

Sightings

Nomenclature