一、 漏洞 CVE-2022-31195 基础信息
漏洞信息
# DSpace中Simple Archive Format包导入中的路径遍历漏洞
N/A
神龙判断
是否为 Web 类漏洞: 未知
判断理由:
N/A
提示
尽管我们采用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。
神龙会尽力确保数据准确,但也请结合实际情况进行甄别与判断。
神龙祝您一切顺利!
神龙会尽力确保数据准确,但也请结合实际情况进行甄别与判断。
神龙祝您一切顺利!
漏洞标题
Path traversal vulnerability in Simple Archive Format package import in DSpace
来源:美国国家漏洞数据库 NVD
漏洞描述信息
DSpace open source software is a repository application which provides durable access to digital resources. In affected versions the ItemImportServiceImpl is vulnerable to a path traversal vulnerability. This means a malicious SAF (simple archive format) package could cause a file/directory to be created anywhere the Tomcat/DSpace user can write to on the server. However, this path traversal vulnerability is only possible by a user with special privileges (either Administrators or someone with command-line access to the server). This vulnerability impacts the XMLUI, JSPUI and command-line. Users are advised to upgrade. As a basic workaround, users may block all access to the following URL paths: If you are using the XMLUI, block all access to /admin/batchimport path (this is the URL of the Admin Batch Import tool). Keep in mind, if your site uses the path "/xmlui", then you'd need to block access to /xmlui/admin/batchimport. If you are using the JSPUI, block all access to /dspace-admin/batchimport path (this is the URL of the Admin Batch Import tool). Keep in mind, if your site uses the path "/jspui", then you'd need to block access to /jspui/dspace-admin/batchimport. Keep in mind, only an Administrative user or a user with command-line access to the server is able to import/upload SAF packages. Therefore, assuming those users do not blindly upload untrusted SAF packages, then it is unlikely your site could be impacted by this vulnerability.
来源:美国国家漏洞数据库 NVD
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
来源:美国国家漏洞数据库 NVD
漏洞类别
对路径名的限制不恰当(路径遍历)
来源:美国国家漏洞数据库 NVD
漏洞标题
DSpace 路径遍历漏洞
来源:中国国家信息安全漏洞库 CNNVD
漏洞描述信息
DSpace是DuraSpace社区的一个开源的交钥匙存储库应用程序。 DSpace 4.0 到 6.3版本存在路径遍历漏洞,该漏洞源于意 SAF(简单存档格式)包可能会导致在 Tomcat/DSpace 用户可以在服务器上写入的任何位置创建文件/目录。
来源:中国国家信息安全漏洞库 CNNVD
CVSS信息
N/A
来源:中国国家信息安全漏洞库 CNNVD
漏洞类别
路径遍历
来源:中国国家信息安全漏洞库 CNNVD
二、漏洞 CVE-2022-31195 的公开POC
| # | POC 描述 | 源链接 | 神龙链接 |
|---|---|---|---|
| 1 | None | https://github.com/shoucheng3/DSpace__DSpace_CVE-2022-31195_5-10 | POC详情 |
三、漏洞 CVE-2022-31195 的情报信息
-
标题: Path traversal vulnerability in Simple Archive Format package import (ItemImportService API) · Advisory · DSpace/DSpace · GitHub -- 🔗来源链接
标签: x_refsource_CONFIRM
- https://github.com/DSpace/DSpace/commit/56e76049185bbd87c994128a9d77735ad7af0199 x_refsource_MISC
- https://github.com/DSpace/DSpace/commit/7af52a0883a9dbc475cf3001f04ed11b24c8a4c0 x_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2022-31195
四、漏洞 CVE-2022-31195 的评论
暂无评论