Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-31193— URL Redirection to Untrusted Site in Dspace JSPUI

CVSS 7.1 · High EPSS 0.26% · P50
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2022-31193

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
URL Redirection to Untrusted Site in Dspace JSPUI
Source: NVD (National Vulnerability Database)
Vulnerability Description
DSpace open source software is a repository application which provides durable access to digital resources. dspace-jspui is a UI component for DSpace. The JSPUI controlled vocabulary servlet is vulnerable to an open redirect attack, where an attacker can craft a malicious URL that looks like a legitimate DSpace/repository URL. When that URL is clicked by the target, it redirects them to a site of the attacker's choice. This issue has been patched in versions 5.11 and 6.4. Users are advised to upgrade. There are no known workaround for this vulnerability.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
指向未可信站点的URL重定向(开放重定向)
Source: NVD (National Vulnerability Database)
Vulnerability Title
DSpace 输入验证错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
DSpace是DuraSpace社区的一个开源的交钥匙存储库应用程序。 DSpace 4.0 到 6.3版本存在输入验证错误漏洞,该漏洞源于JSPUI 控制的词汇 servlet 容易受到开放重定向攻击,攻击者可以在其中制作一个看起来像合法DSpace/repository URL 的恶意 URL,当目标单击该 URL 时,它会将它们重定向到攻击者选择的站点。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
DSpaceDSpace >= 6.0, < 6.4 -

II. Public POCs for CVE-2022-31193

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2022-31193

登录查看更多情报信息。

Same Patch Batch · DSpace · 2022-08-01 · 7 CVEs total

CVE-2022-311948.2 HIGHPath traversal vulnerabilities in DSpace JSPUI submission upload
CVE-2022-311957.2 HIGHPath traversal vulnerability in Simple Archive Format package import in DSpace
CVE-2022-311917.1 HIGHCross Site Scripting possible in DSpace JSPUI spellcheck and autocomplete tools
CVE-2022-311927.1 HIGHCross Site Scripting possible in DSpace JSPUI "Request a Copy" feature
CVE-2022-311895.3 MEDIUM"Internal System Error" page in DSpace JSPUI prints exceptions and stack traces without sa
CVE-2022-311905.3 MEDIUMMetadata of withdrawn Items is exposed to anonymous users in DSpace XMLUI

IV. Related Vulnerabilities

Same product: DSpace
Same vendor: DSpace
Same weakness: CWE-601

V. Comments for CVE-2022-31193

No comments yet

Leave a comment