"Internal System Error" page in DSpace JSPUI prints exceptions and stack traces without sanitization
Description
DSpace open source software is a repository application which provides durable access to digital resources. dspace-jspui is a UI component for DSpace. When an "Internal System Error" occurs in the JSPUI, then entire exception (including stack trace) is available. Information in this stacktrace may be useful to an attacker in launching a more sophisticated attack. This vulnerability only impacts the JSPUI. This issue has been fixed in version 6.4. users are advised to upgrade. Users unable to upgrade should disable the display of error messages in their internal.jsp file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.dspace:dspace-jspuiMaven | >= 4.0, < 6.4 | 6.4 |
Affected products
2Patches
Vulnerability mechanics
Root cause
"The JSPUI error page exposes the full exception and stack trace to the user when an internal system error occurs, leaking sensitive implementation details."
Attack vector
An attacker triggers an internal system error in the JSPUI by sending a crafted request that causes an unhandled exception. The JSPUI error page then renders the full exception and stack trace back to the attacker. This information disclosure reveals internal implementation details such as class names, file paths, and library versions, which can aid the attacker in crafting more targeted exploits. No authentication is required; the attacker only needs network access to a vulnerable JSPUI endpoint.
Affected code
The vulnerability resides in the JSPUI component of DSpace, specifically in the error-handling code that renders the "Internal System Error" page. The advisory states that when an internal system error occurs, the entire exception including its stack trace is displayed to the user. The patch provided is a release version bump (6.4-SNAPSHOT to 6.4) and does not show the actual code change that fixes the information disclosure; the fix is described as disabling the display of error messages in the `internal.jsp` file.
What the fix does
The patch shown is a release-version commit that updates all pom.xml files from 6.4-SNAPSHOT to 6.4 and sets the SCM tag to dspace-6.4. This commit does not contain the actual code change to the error-handling logic. According to the advisory, the real fix involves modifying the `internal.jsp` file to suppress the display of exception details and stack traces. Users unable to upgrade are advised to manually disable error message display in that file.
Preconditions
- configThe DSpace instance must be running the JSPUI (not XMLUI or REST).
- networkThe attacker must have network access to a JSPUI endpoint that can be made to throw an unhandled exception.
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-c2j7-66m3-r4ffghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-31189ghsaADVISORY
- github.com/DSpace/DSpace/commit/afcc6c3389729b85d5c7b0230cbf9aaf7452f31aghsax_refsource_MISCWEB
- github.com/DSpace/DSpace/security/advisories/GHSA-c2j7-66m3-r4ffghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.