Open Redirect in DSpace dspace-jspui <5.11/6.4
CVE-2022-31193 Published on August 1, 2022

URL Redirection to Untrusted Site in Dspace JSPUI
DSpace open source software is a repository application which provides durable access to digital resources. dspace-jspui is a UI component for DSpace. The JSPUI controlled vocabulary servlet is vulnerable to an open redirect attack, where an attacker can craft a malicious URL that looks like a legitimate DSpace/repository URL. When that URL is clicked by the target, it redirects them to a site of the attacker's choice. This issue has been patched in versions 5.11 and 6.4. Users are advised to upgrade. There are no known workaround for this vulnerability.

Github Repository NVD

Vulnerability Analysis

CVE-2022-31193 can be exploited with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be low. considered to have a small impact on confidentiality and integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
REQUIRED
Scope:
CHANGED
Confidentiality Impact:
LOW
Integrity Impact:
LOW
Availability Impact:
LOW

Weakness Type

What is an Open Redirect Vulnerability?

A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.

CVE-2022-31193 has been classified to as an Open Redirect vulnerability or weakness.


Products Associated with CVE-2022-31193

Want to know whenever a new CVE is published for Duraspace Dspace? stack.watch will email you.

Duraspace Dspace
 

Affected Versions

DSpace:

Vulnerable Packages

The following package name and versions may be associated with CVE-2022-31193

Package Manager Vulnerable Package Versions Fixed In
maven org.dspace:dspace-jspui >= 4.0, < 5.11 5.11
maven org.dspace:dspace-jspui >= 6.0, < 6.4 6.4

Exploit Probability

EPSS
0.26%
Percentile
49.88%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.