CVE-2022-31193: URL Redirection to Untrusted Site in Dspace JSPUI

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2022-31193

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

URL Redirection to Untrusted Site in Dspace JSPUI

Source: NVD (National Vulnerability Database)

Vulnerability Description

DSpace open source software is a repository application which provides durable access to digital resources. dspace-jspui is a UI component for DSpace. The JSPUI controlled vocabulary servlet is vulnerable to an open redirect attack, where an attacker can craft a malicious URL that looks like a legitimate DSpace/repository URL. When that URL is clicked by the target, it redirects them to a site of the attacker's choice. This issue has been patched in versions 5.11 and 6.4. Users are advised to upgrade. There are no known workaround for this vulnerability.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Source: NVD (National Vulnerability Database)

Vulnerability Type

指向未可信站点的URL重定向(开放重定向)

Source: NVD (National Vulnerability Database)

Vulnerability Title

DSpace 输入验证错误漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

DSpace是DuraSpace社区的一个开源的交钥匙存储库应用程序。 DSpace 4.0 到 6.3版本存在输入验证错误漏洞，该漏洞源于JSPUI 控制的词汇 servlet 容易受到开放重定向攻击，攻击者可以在其中制作一个看起来像合法DSpace/repository URL 的恶意 URL，当目标单击该 URL 时，它会将它们重定向到攻击者选择的站点。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
DSpace	DSpace	>= 6.0, < 6.4	-

II. Public POCs for CVE-2022-31193

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2022-31193

Please Login to view more intelligence information

https://github.com/DSpace/DSpace/commit/f7758457b7ec3489d525e39aa753cc70809d9ad9x_refsource_MISC
https://github.com/DSpace/DSpace/security/advisories/GHSA-763j-q7wv-vf3mx_refsource_CONFIRM
https://github.com/DSpace/DSpace/commit/5f72424a478f59061dcc516b866dcc687bc3f9dex_refsource_MISC
https://nvd.nist.gov/vuln/detail/CVE-2022-31193

IV. Related Vulnerabilities

Same product: DSpace

Same vendor: DSpace

Same weakness: CWE-601

V. Comments for CVE-2022-31193

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

I. Basic Information for CVE-2022-31193

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2022-31193

III. Intelligence Information for CVE-2022-31193

IV. Related Vulnerabilities

V. Comments for CVE-2022-31193

Leave a comment