FKIE_CVE-2025-53621

Vulnerability from fkie_nvd - Published: 2025-07-15 15:15 - Updated: 2025-07-15 20:07
Severity ?
6.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:L
Summary
DSpace open source software is a repository application which provides durable access to digital resources. Two related XML External Entity (XXE) injection possibilities impact all versions of DSpace prior to 7.6.4, 8.2, and 9.1. External entities are not disabled when parsing XML files during import of an archive (in Simple Archive Format), either from command-line (`./dspace import` command) or from the "Batch Import (Zip)" user interface feature. External entities are also not explicitly disabled when parsing XML responses from some upstream services (ArXiv, Crossref, OpenAIRE, Creative Commons) used in import from external sources via the user interface or REST API. An XXE injection in these files may result in a connection being made to an attacker's site or a local path readable by the Tomcat user, with content potentially being injected into a metadata field. In the latter case, this may result in sensitive content disclosure, including retrieving arbitrary files or configurations from the server where DSpace is running. The Simple Archive Format (SAF) importer / Batch Import (Zip) is only usable by site administrators (from user interface / REST API) or system administrators (from command-line). Therefore, to exploit this vulnerability, the malicious payload would have to be provided by an attacker and trusted by an administrator, who would trigger the import. The fix is included in DSpace 7.6.4, 8.2, and 9.1. Please upgrade to one of these versions. For those who cannot upgrade immediately, it is possible to manually patch the DSpace backend. One may also apply some best practices, though the protection provided is not as complete as upgrading. Administrators must carefully inspect any SAF archives (they did not construct themselves) before importing. As necessary, affected external services can be disabled to mitigate the ability for payloads to be delivered via external service APIs.
References
security-advisories@github.comhttps://github.com/DSpace/DSpace/pull/11032
security-advisories@github.comhttps://github.com/DSpace/DSpace/pull/11032.patch
security-advisories@github.comhttps://github.com/DSpace/DSpace/pull/11034
security-advisories@github.comhttps://github.com/DSpace/DSpace/pull/11034.patch
security-advisories@github.comhttps://github.com/DSpace/DSpace/pull/11035
security-advisories@github.comhttps://github.com/DSpace/DSpace/pull/11035.patch
security-advisories@github.comhttps://github.com/DSpace/DSpace/security/advisories/GHSA-jjwr-5cfh-7xwh
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "DSpace open source software is a repository application which provides durable access to digital resources. Two related XML External Entity (XXE) injection possibilities impact all versions of DSpace prior to 7.6.4, 8.2, and 9.1. External entities are not disabled when parsing XML files during import of an archive (in Simple Archive Format), either from command-line (`./dspace import` command) or from the \"Batch Import (Zip)\" user interface feature. External entities are also not explicitly disabled when parsing XML responses from some upstream services (ArXiv, Crossref, OpenAIRE, Creative Commons) used in import from external sources via the user interface or REST API. An XXE injection in these files may result in a connection being made to an attacker\u0027s site or a local path readable by the Tomcat user, with content potentially being injected into a metadata field. In the latter case, this may result in sensitive content disclosure, including retrieving arbitrary files or configurations from the server where DSpace is running. The Simple Archive Format (SAF) importer / Batch Import (Zip) is only usable by site administrators (from user interface / REST API) or system administrators (from command-line). Therefore, to exploit this vulnerability, the malicious payload would have to be provided by an attacker and trusted by an administrator, who would trigger the import. The fix is included in DSpace 7.6.4, 8.2, and 9.1. Please upgrade to one of these versions. For those who cannot upgrade immediately, it is possible to manually patch the DSpace backend. One may also apply some best practices, though the protection provided is not as complete as upgrading. Administrators must carefully inspect any SAF archives (they did not construct themselves) before importing. As necessary, affected external services can be disabled to mitigate the ability for payloads to be delivered via external service APIs."
    },
    {
      "lang": "es",
      "value": "El software de c\u00f3digo abierto DSpace es una aplicaci\u00f3n de repositorio que proporciona acceso duradero a recursos digitales. Dos posibilidades relacionadas de inyecci\u00f3n de Entidades Externas XML (XXE) afectan a todas las versiones de DSpace anteriores a las 7.6.4, 8.2 y 9.1. Las entidades externas no se deshabilitan al analizar archivos XML durante la importaci\u00f3n de un archivo (en formato de archivo simple), ya sea desde la l\u00ednea de comandos (comando `./dspace import`) o desde la funci\u00f3n de interfaz de usuario \"Importaci\u00f3n por lotes (Zip)\". Las entidades externas tampoco se deshabilitan expl\u00edcitamente al analizar respuestas XML de algunos servicios upstream (ArXiv, Crossref, OpenAIRE, Creative Commons) utilizados en la importaci\u00f3n desde fuentes externas a trav\u00e9s de la interfaz de usuario o la API REST. Una inyecci\u00f3n XXE en estos archivos puede provocar una conexi\u00f3n al sitio web de un atacante o a una ruta local legible para el usuario de Tomcat, con la posibilidad de inyectar contenido en un campo de metadatos. En este \u00faltimo caso, esto puede provocar la divulgaci\u00f3n de contenido sensible, incluyendo la recuperaci\u00f3n de archivos o configuraciones arbitrarias del servidor donde se ejecuta DSpace. El importador de formato de archivo simple (SAF)/importaci\u00f3n por lotes (Zip) solo puede ser utilizado por administradores de sitio (desde la interfaz de usuario/API REST) o administradores de sistema (desde la l\u00ednea de comandos). Por lo tanto, para explotar esta vulnerabilidad, el payload malicioso tendr\u00eda que ser proporcionado por un atacante y contar con la confianza de un administrador, quien activar\u00eda la importaci\u00f3n. La soluci\u00f3n est\u00e1 incluida en DSpace 7.6.4, 8.2 y 9.1. Actualice a una de estas versiones. Si no puede actualizar inmediatamente, puede aplicar un parche manual al backend de DSpace. Tambi\u00e9n se pueden aplicar algunas pr\u00e1cticas recomendadas, aunque la protecci\u00f3n proporcionada no es tan completa como la de una actualizaci\u00f3n. Los administradores deben inspeccionar cuidadosamente los archivos SAF (que no hayan creado ellos mismos) antes de importar. Seg\u00fan sea necesario, se pueden deshabilitar los servicios externos afectados para mitigar la posibilidad de que los payloads se entreguen a trav\u00e9s de las API de servicios externos."
    }
  ],
  "id": "CVE-2025-53621",
  "lastModified": "2025-07-15T20:07:28.023",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 6.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 1.7,
        "impactScore": 4.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-07-15T15:15:25.517",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/DSpace/DSpace/pull/11032"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/DSpace/DSpace/pull/11032.patch"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/DSpace/DSpace/pull/11034"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/DSpace/DSpace/pull/11034.patch"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/DSpace/DSpace/pull/11035"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/DSpace/DSpace/pull/11035.patch"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/DSpace/DSpace/security/advisories/GHSA-jjwr-5cfh-7xwh"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-611"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.