In recent weeks, several security vulnerabilities where discovered in the XMLUI, JSPUI and REST API.

WE RECOMMEND ALL SITES UPGRADE TO EITHER DSPACE 4.7 or 5.6 to ensure your site is secure, or manually patch your site using the tickets detailed below. (Please note that the DSpace 5.6 release also includes bug fixes to the 5.x platform.)

 * DSpace 5.6
     o Release Notes:
     o Download:
 * DSpace 4.7
     o Release Notes:
     o Download:

Summary of general vulnerabilities:

 * /[MEDIUM SEVERITY] XML External Entity (XXE) vulnerability in
   pdfbox. /(DS-3309 <> -
   requires a JIRA account to access.) This vulnerability was
   discovered in the 'pdfbox' software and more details can be found at Prior versions of
   DSpace can easily patch this issue by updating the version of
   'pdfbox' used by your DSpace (see ticket for details).  This
   vulnerability affects all versions of DSpace that use pdfbox. It was
   discovered by Seth Robbins
 * /[MEDIUM SEVERITY] Bitstreams of embargoed and/or withdrawn items
   can be accessed by anyone (via JSPUI, XMLUI or REST). (DS-3097
   <> - requires a JIRA
   account to access). /This vulnerability could allow anonymous users
   to read embargoed or withdrawn files, via direct URL access when
   "request-a-copy" is disabled (which is not the default). This
   vulnerability affects DSpace 4.x and 5.x, and was discovered by
   Franziska Ackermann

Additional JSPUI Vulnerability (affects 1.5.x and above):

 * /[HIGH SEVERITY]  Any registered user can modify in progress
   submission. (DS-2895 <> -
   requires a JIRA account to access.) /This vulnerability could allow
   registered users to edit others in-progress submissions,
   provided//that they could guess the internal ID of the submission.
   This vulnerability affects DSpace 1.5.x up to (and including) 5.x
   and was discovered by Andrea Bollini of 4Science.

Additional REST Vulnerability (affecting 5.x only):

 * /[HIGH SEVERITY] //SQL Injection Vulnerability in 5.x REST
   API (DS-3250 <> /- requires
   a JIRA account to access.) //This vulnerability affects DSpace 5.x
   only and was discovered by Bram Luyten of Atmire.

As these vulnerabilities are now considered "public", questions may be asked on our DSpace Tech Support mailing list (!forum/dspace-tech) or on the tickets themselves.

We also welcome private security reports, concerns or questions via our security contact address (


Tim Donohue (on behalf of the DSpace Committers)

Tim Donohue
Technical Lead for DSpace & DSpaceDirect | |

You received this message because you are subscribed to the Google Groups "DSpace 
Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
To post to this group, send email to
Visit this group at
For more options, visit

Reply via email to