Path traversal vulnerabilities in DSpace JSPUI submission upload
Description
DSpace open source software is a repository application which provides durable access to digital resources. dspace-jspui is a UI component for DSpace. The JSPUI resumable upload implementations in SubmissionController and FileUploadRequest are vulnerable to multiple path traversal attacks, allowing an attacker to create files/directories anywhere on the server writable by the Tomcat/DSpace user, by modifying some request parameters during submission. This path traversal can only be executed by a user with special privileges (submitter rights). This vulnerability only impacts the JSPUI. Users are advised to upgrade. There are no known workarounds. However, this vulnerability cannot be exploited by an anonymous user or a basic user. The user must first have submitter privileges to at least one Collection and be able to determine how to modify the request parameters to exploit the vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.dspace:dspace-jspuiMaven | >= 4.0, < 5.11 | 5.11 |
org.dspace:dspace-jspuiMaven | >= 6.0, < 6.4 | 6.4 |
Affected products
2Patches
Vulnerability mechanics
Root cause
"Missing input validation and path sanitization in JSPUI resumable upload request parameters allows path traversal."
Attack vector
An attacker must first have submitter privileges to at least one Collection. By modifying specific request parameters during the submission process, the attacker can inject path traversal sequences (e.g., "../") into file or directory names. The JSPUI resumable upload code does not sanitize these parameters, allowing the attacker to write files or create directories anywhere on the server that the Tomcat/DSpace user can write to. This attack cannot be carried out by anonymous or basic users.
Affected code
The vulnerability resides in the JSPUI resumable upload implementations within SubmissionController and FileUploadRequest. The advisory states these components are vulnerable to multiple path traversal attacks, but the supplied patches (release version bumps in pom.xml files) do not contain any code changes that address the traversal logic. The actual security fix is not visible in the provided patch diffs.
What the fix does
The supplied patches [patch_id=1641504] and [patch_id=1641505] are Maven release-plugin commits that only change version numbers from "-SNAPSHOT" to the release version and update the SCM tag. They contain no code changes to SubmissionController, FileUploadRequest, or any other Java source file. The advisory states that users should upgrade to the fixed release, but the actual path traversal sanitization logic is not present in these diffs. Without the real security patch diff, the specific fix mechanism cannot be determined from the provided bundle.
Preconditions
- authAttacker must have submitter privileges to at least one Collection in DSpace.
- networkAttacker must be able to craft and send HTTP requests with modified parameters to the JSPUI submission endpoints.
- configThe JSPUI component must be deployed and accessible.
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-qp5m-c3m9-8q2pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-31194ghsaADVISORY
- github.com/DSpace/DSpace/commit/7569c6374aefeafb996e202cf8d631020eda5f24ghsax_refsource_MISCWEB
- github.com/DSpace/DSpace/commit/d1dd7d23329ef055069759df15cfa200c8e3ghsax_refsource_MISCWEB
- github.com/DSpace/DSpace/security/advisories/GHSA-qp5m-c3m9-8q2pghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.