SCA: security update for org.dspace:dspace-api (GHSA-vhvx-8xgc-99wf)

medium Tenable Self-Hosted Container Security Plugin ID 428402

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- DSpace open source software is a repository application which provides durable access to digital
resources. Prior to versions 7.6.4, 8.2, and 9.1, a path traversal vulnerability is possible during the
import of an archive (in Simple Archive Format), either from command-line (`./dspace import` command) or
from the "Batch Import (Zip)" user interface feature. An attacker may craft a malicious Simple Archive
Format (SAF) package where the `contents` file references any system files (using relative traversal
sequences) which are readable by the Tomcat user. If such a package is imported, this will result in
sensitive content disclose, including retrieving arbitrary files or configurations from the server where
DSpace is running. The Simple Archive Format (SAF) importer / Batch Import (Zip) is only usable by site
administrators (from user interface / REST API) or system administrators (from command-line). Therefore,
to exploit this vulnerability, the malicious payload would have to be provided by an attacker and trusted
by an administrator (who would trigger the import). The fix is included in DSpace 7.6.4, 8.2 and 9.1. For
those who cannot upgrade immediately, it is possible to manually patch the DSpace backend. (No changes are
necessary to the frontend.) A pull request exists which can be used to patch systems running DSpace 7.6.x,
8.x or 9.0. Although it is not possible to fully protect the system via workarounds, one may can apply a
best practice. Administrators must carefully inspect any SAF archives (they did not construct themselves)
before importing, paying close attention to the `contents` file to validate it does not reference files
outside of the SAF archives. (CVE-2025-53622)

See Also

https://github.com/advisories/GHSA-vhvx-8xgc-99wf

Plugin Details

Severity: Medium

ID: 428402

Version: Revision 1.9

Type: Local

Family: SCA Checks

Published: 7/15/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3.5

Percentile: 51.76

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:M/C:C/I:N/A:P

CVSS Score Source: CVE-2025-53622

CVSS v3

Risk Factor: Medium

Base Score: 5.2

Temporal Score: 4.5

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 7/15/2025

Vulnerability Publication Date: 7/15/2025

Reference Information

CVE: CVE-2025-53622

cwe: CWE-22