CVE-2022-31195

Source
https://cve.org/CVERecord?id=CVE-2022-31195
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-31195.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-31195
Aliases
Published
2022-08-01T20:35:11Z
Modified
2026-07-09T06:35:09.868100Z
Severity
  • 7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Path traversal vulnerability in Simple Archive Format package import in DSpace
Details

DSpace open source software is a repository application which provides durable access to digital resources. In affected versions the ItemImportServiceImpl is vulnerable to a path traversal vulnerability. This means a malicious SAF (simple archive format) package could cause a file/directory to be created anywhere the Tomcat/DSpace user can write to on the server. However, this path traversal vulnerability is only possible by a user with special privileges (either Administrators or someone with command-line access to the server). This vulnerability impacts the XMLUI, JSPUI and command-line. Users are advised to upgrade. As a basic workaround, users may block all access to the following URL paths: If you are using the XMLUI, block all access to /admin/batchimport path (this is the URL of the Admin Batch Import tool). Keep in mind, if your site uses the path "/xmlui", then you'd need to block access to /xmlui/admin/batchimport. If you are using the JSPUI, block all access to /dspace-admin/batchimport path (this is the URL of the Admin Batch Import tool). Keep in mind, if your site uses the path "/jspui", then you'd need to block access to /jspui/dspace-admin/batchimport. Keep in mind, only an Administrative user or a user with command-line access to the server is able to import/upload SAF packages. Therefore, assuming those users do not blindly upload untrusted SAF packages, then it is unlikely your site could be impacted by this vulnerability.

Database specific
{
    "cna_assigner": "GitHub_M",
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "6.0"
                },
                {
                    "fixed": "6.4"
                },
                {
                    "introduced": "4.0"
                },
                {
                    "fixed": "5.11"
                }
            ]
        }
    ],
    "cwe_ids": [
        "CWE-22"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/31xxx/CVE-2022-31195.json"
}
References

Affected packages

Git / github.com/dspace/dspace

Affected ranges

Type
GIT
Repo
https://github.com/dspace/dspace
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": "REFERENCES"
}

Affected versions

dspace-3.*
dspace-3.0
dspace-3.0-rc1
dspace-3.0-rc2
dspace-3.0-rc3
dspace-4.*
dspace-4.0
dspace-4.0-rc1
dspace-4.0-rc2
dspace-4.0-rc3
dspace-5.*
dspace-5.0
dspace-5.0-rc1
dspace-5.0-rc2
dspace-5.0-rc3
dspace-5.1
dspace-5.10
dspace-5.2
dspace-5.3
dspace-5.4
dspace-5.5
dspace-5.6
dspace-5.7
dspace-5.8
dspace-5.9
dspace-6.*
dspace-6.0
dspace-6.0-pre-DS-2701
dspace-6.0-rc1
dspace-6.0-rc2
dspace-6.0-rc3
dspace-6.0-rc4
dspace-6.1
dspace-6.2
dspace-6.3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-31195.json"
vanir_signatures
[
    {
        "source": "https://github.com/dspace/dspace/commit/7af52a0883a9dbc475cf3001f04ed11b24c8a4c0",
        "digest": {
            "line_hashes": [
                "324937675169398868389026485710780297683",
                "227134304912658197765420340132475114748",
                "23471528955006589878113908883650483940",
                "193856166048208159492038341719115138968",
                "229219876699090297006619355520292185750",
                "90730814027468812740538677683502292589",
                "117307467182127527932517160122747292356",
                "52594000209111295725852161053133091864",
                "81361672912613216572411971733676670090",
                "174582339988540942366754254720514142866",
                "7734967841021925861909498891553265962",
                "77096016746842793817015062453649497812",
                "54355544438824708196842174178514117664",
                "243097349561622869190705053695779601347",
                "58783988479260003528754705409876919701",
                "121458929453980428992656502650950557300",
                "306337316056027113385556684305361919797",
                "111540096561857701724853841449944428769",
                "47241196339403139093803247545613991464",
                "5823539237528271446283575093885848984",
                "153132947793114274313179208803611135450",
                "185547155680927146319965237797975714623",
                "79512995125543846951149825759894993083",
                "201402387016329000596481975653781685501",
                "41737914797436775561149753564616361608",
                "323441042109987343623011963940829253384",
                "84969057056235760730153422332015727916",
                "159876255852924636111770419436882060755",
                "278216626521375215823291433700423922213",
                "39486481399532956964151654163004207270",
                "295720427183845371252222464184799647659",
                "260514979531839251416857230104774861102",
                "68746123743164825858945621796178479074",
                "180332864662553037352392383341036819635",
                "315827431810704865019019177054695671975",
                "301568792372847562553615752562739353475",
                "27581142174730860426474374625438736593",
                "327923229560345985191335146772837658167",
                "210633393528424116552068953364705797792",
                "25308190499023158138470165549186727525",
                "240142159698039103806287661169161088069",
                "279676751306528648653578919860140920639"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "file": "dspace-api/src/main/java/org/dspace/app/itemimport/ItemImportServiceImpl.java"
        },
        "id": "CVE-2022-31195-607cff02"
    },
    {
        "source": "https://github.com/dspace/dspace/commit/7af52a0883a9dbc475cf3001f04ed11b24c8a4c0",
        "digest": {
            "function_hash": "273393222149112002952349889983338743084",
            "length": 2416.0
        },
        "signature_type": "Function",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "function": "unzip",
            "file": "dspace-api/src/main/java/org/dspace/app/itemimport/ItemImportServiceImpl.java"
        },
        "id": "CVE-2022-31195-7c0a7886"
    },
    {
        "source": "https://github.com/dspace/dspace/commit/56e76049185bbd87c994128a9d77735ad7af0199",
        "digest": {
            "function_hash": "277216625786642002834123861350452890250",
            "length": 2362.0
        },
        "signature_type": "Function",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "function": "unzip",
            "file": "dspace-api/src/main/java/org/dspace/app/itemimport/ItemImport.java"
        },
        "id": "CVE-2022-31195-81905058"
    },
    {
        "source": "https://github.com/dspace/dspace/commit/56e76049185bbd87c994128a9d77735ad7af0199",
        "digest": {
            "line_hashes": [
                "81361672912613216572411971733676670090",
                "174582339988540942366754254720514142866",
                "7734967841021925861909498891553265962",
                "77096016746842793817015062453649497812",
                "54355544438824708196842174178514117664",
                "243097349561622869190705053695779601347",
                "58783988479260003528754705409876919701",
                "121458929453980428992656502650950557300",
                "306337316056027113385556684305361919797",
                "111540096561857701724853841449944428769",
                "47241196339403139093803247545613991464",
                "5823539237528271446283575093885848984",
                "153132947793114274313179208803611135450",
                "185547155680927146319965237797975714623",
                "79512995125543846951149825759894993083",
                "201402387016329000596481975653781685501",
                "41737914797436775561149753564616361608",
                "323441042109987343623011963940829253384",
                "84969057056235760730153422332015727916",
                "159876255852924636111770419436882060755",
                "278216626521375215823291433700423922213",
                "39486481399532956964151654163004207270",
                "295720427183845371252222464184799647659",
                "210633393528424116552068953364705797792",
                "25308190499023158138470165549186727525",
                "240142159698039103806287661169161088069",
                "279676751306528648653578919860140920639"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "file": "dspace-api/src/main/java/org/dspace/app/itemimport/ItemImport.java"
        },
        "id": "CVE-2022-31195-c34054ca"
    }
]
vanir_signatures_modified
"2026-07-09T06:35:09Z"