SCA: security update for org.dspace:dspace-api (GHSA-jjwr-5cfh-7xwh)

medium Tenable Cloud Security Plugin ID 428400

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- DSpace open source software is a repository application which provides durable access to digital
resources. Two related XML External Entity (XXE) injection possibilities impact all versions of DSpace
prior to 7.6.4, 8.2, and 9.1. External entities are not disabled when parsing XML files during import of
an archive (in Simple Archive Format), either from command-line (`./dspace import` command) or from the
"Batch Import (Zip)" user interface feature. External entities are also not explicitly disabled when
parsing XML responses from some upstream services (ArXiv, Crossref, OpenAIRE, Creative Commons) used in
import from external sources via the user interface or REST API. An XXE injection in these files may
result in a connection being made to an attacker's site or a local path readable by the Tomcat user, with
content potentially being injected into a metadata field. In the latter case, this may result in sensitive
content disclosure, including retrieving arbitrary files or configurations from the server where DSpace is
running. The Simple Archive Format (SAF) importer / Batch Import (Zip) is only usable by site
administrators (from user interface / REST API) or system administrators (from command-line). Therefore,
to exploit this vulnerability, the malicious payload would have to be provided by an attacker and trusted
by an administrator, who would trigger the import. The fix is included in DSpace 7.6.4, 8.2, and 9.1.
Please upgrade to one of these versions. For those who cannot upgrade immediately, it is possible to
manually patch the DSpace backend. One may also apply some best practices, though the protection provided
is not as complete as upgrading. Administrators must carefully inspect any SAF archives (they did not
construct themselves) before importing. As necessary, affected external services can be disabled to
mitigate the ability for payloads to be delivered via external service APIs. (CVE-2025-53621)

See Also

https://github.com/advisories/GHSA-jjwr-5cfh-7xwh

Plugin Details

Severity: Medium

ID: 428400

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 7/15/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3.9

Percentile: 52.46

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:M/C:C/I:N/A:P

CVSS Score Source: CVE-2025-53621

CVSS v3

Risk Factor: Medium

Base Score: 6.9

Temporal Score: 6

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 7/15/2025

Vulnerability Publication Date: 7/15/2025

Reference Information

CVE: CVE-2025-53621

cwe: CWE-611