DSpace open source software is a repository application which provides durable access to digital resources. In affected versions the ItemImportServiceImpl is vulnerable to a path traversal vulnerability. This means a malicious SAF (simple archive format) package could cause a file/directory to be created anywhere the Tomcat/DSpace user can write to on the server. However, this path traversal vulnerability is only possible by a user with special privileges (either Administrators or someone with command-line access to the server). This vulnerability impacts the XMLUI, JSPUI and command-line. Users are advised to upgrade. As a basic workaround, users may block all access to the following URL paths: If you are using the XMLUI, block all access to /admin/batchimport path (this is the URL of the Admin Batch Import tool). Keep in mind, if your site uses the path "/xmlui", then you'd need to block access to /xmlui/admin/batchimport. If you are using the JSPUI, block all access to /dspace-admin/batchimport path (this is the URL of the Admin Batch Import tool). Keep in mind, if your site uses the path "/jspui", then you'd need to block access to /jspui/dspace-admin/batchimport. Keep in mind, only an Administrative user or a user with command-line access to the server is able to import/upload SAF packages. Therefore, assuming those users do not blindly upload untrusted SAF packages, then it is unlikely your site could be impacted by this vulnerability.
{
"cna_assigner": "GitHub_M",
"unresolved_ranges": [
{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"introduced": "6.0"
},
{
"fixed": "6.4"
},
{
"introduced": "4.0"
},
{
"fixed": "5.11"
}
]
}
],
"cwe_ids": [
"CWE-22"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/31xxx/CVE-2022-31195.json"
}"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-31195.json"
[
{
"source": "https://github.com/dspace/dspace/commit/7af52a0883a9dbc475cf3001f04ed11b24c8a4c0",
"digest": {
"line_hashes": [
"324937675169398868389026485710780297683",
"227134304912658197765420340132475114748",
"23471528955006589878113908883650483940",
"193856166048208159492038341719115138968",
"229219876699090297006619355520292185750",
"90730814027468812740538677683502292589",
"117307467182127527932517160122747292356",
"52594000209111295725852161053133091864",
"81361672912613216572411971733676670090",
"174582339988540942366754254720514142866",
"7734967841021925861909498891553265962",
"77096016746842793817015062453649497812",
"54355544438824708196842174178514117664",
"243097349561622869190705053695779601347",
"58783988479260003528754705409876919701",
"121458929453980428992656502650950557300",
"306337316056027113385556684305361919797",
"111540096561857701724853841449944428769",
"47241196339403139093803247545613991464",
"5823539237528271446283575093885848984",
"153132947793114274313179208803611135450",
"185547155680927146319965237797975714623",
"79512995125543846951149825759894993083",
"201402387016329000596481975653781685501",
"41737914797436775561149753564616361608",
"323441042109987343623011963940829253384",
"84969057056235760730153422332015727916",
"159876255852924636111770419436882060755",
"278216626521375215823291433700423922213",
"39486481399532956964151654163004207270",
"295720427183845371252222464184799647659",
"260514979531839251416857230104774861102",
"68746123743164825858945621796178479074",
"180332864662553037352392383341036819635",
"315827431810704865019019177054695671975",
"301568792372847562553615752562739353475",
"27581142174730860426474374625438736593",
"327923229560345985191335146772837658167",
"210633393528424116552068953364705797792",
"25308190499023158138470165549186727525",
"240142159698039103806287661169161088069",
"279676751306528648653578919860140920639"
],
"threshold": 0.9
},
"signature_type": "Line",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "dspace-api/src/main/java/org/dspace/app/itemimport/ItemImportServiceImpl.java"
},
"id": "CVE-2022-31195-607cff02"
},
{
"source": "https://github.com/dspace/dspace/commit/7af52a0883a9dbc475cf3001f04ed11b24c8a4c0",
"digest": {
"function_hash": "273393222149112002952349889983338743084",
"length": 2416.0
},
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"target": {
"function": "unzip",
"file": "dspace-api/src/main/java/org/dspace/app/itemimport/ItemImportServiceImpl.java"
},
"id": "CVE-2022-31195-7c0a7886"
},
{
"source": "https://github.com/dspace/dspace/commit/56e76049185bbd87c994128a9d77735ad7af0199",
"digest": {
"function_hash": "277216625786642002834123861350452890250",
"length": 2362.0
},
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"target": {
"function": "unzip",
"file": "dspace-api/src/main/java/org/dspace/app/itemimport/ItemImport.java"
},
"id": "CVE-2022-31195-81905058"
},
{
"source": "https://github.com/dspace/dspace/commit/56e76049185bbd87c994128a9d77735ad7af0199",
"digest": {
"line_hashes": [
"81361672912613216572411971733676670090",
"174582339988540942366754254720514142866",
"7734967841021925861909498891553265962",
"77096016746842793817015062453649497812",
"54355544438824708196842174178514117664",
"243097349561622869190705053695779601347",
"58783988479260003528754705409876919701",
"121458929453980428992656502650950557300",
"306337316056027113385556684305361919797",
"111540096561857701724853841449944428769",
"47241196339403139093803247545613991464",
"5823539237528271446283575093885848984",
"153132947793114274313179208803611135450",
"185547155680927146319965237797975714623",
"79512995125543846951149825759894993083",
"201402387016329000596481975653781685501",
"41737914797436775561149753564616361608",
"323441042109987343623011963940829253384",
"84969057056235760730153422332015727916",
"159876255852924636111770419436882060755",
"278216626521375215823291433700423922213",
"39486481399532956964151654163004207270",
"295720427183845371252222464184799647659",
"210633393528424116552068953364705797792",
"25308190499023158138470165549186727525",
"240142159698039103806287661169161088069",
"279676751306528648653578919860140920639"
],
"threshold": 0.9
},
"signature_type": "Line",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "dspace-api/src/main/java/org/dspace/app/itemimport/ItemImport.java"
},
"id": "CVE-2022-31195-c34054ca"
}
]
"2026-07-09T06:35:09Z"