Headline
CVE-2022-31193: [DS-4133] Improve URL handling in Controlled Vocab JSPUI servlet · DSpace/DSpace@f775845
DSpace open source software is a repository application which provides durable access to digital resources. dspace-jspui is a UI component for DSpace. The JSPUI controlled vocabulary servlet is vulnerable to an open redirect attack, where an attacker can craft a malicious URL that looks like a legitimate DSpace/repository URL. When that URL is clicked by the target, it redirects them to a site of the attacker’s choice. This issue has been patched in versions 5.11 and 6.4. Users are advised to upgrade. There are no known workaround for this vulnerability.
@@ -14,6 +14,7 @@
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.Logger;
import org.dspace.authorize.AuthorizeException;
import org.dspace.core.Context;
@@ -25,8 +26,8 @@
*/
public class ControlledVocabularyServlet extends DSpaceServlet
{
// private static Logger log =
// Logger.getLogger(ControlledVocabularyServlet.class);
private static Logger log =
Logger.getLogger(ControlledVocabularyServlet.class);
protected void doDSGet(Context context, HttpServletRequest request,
HttpServletResponse response) throws ServletException, IOException,
@@ -37,6 +38,13 @@ protected void doDSGet(Context context, HttpServletRequest request,
String filter = "";
String callerUrl = request.getParameter(“callerUrl”);
// callerUrl must starts with URL outside DSpace request context path
if(!callerUrl.startsWith(request.getContextPath())) {
log.error("Controlled vocabulary caller URL would result in redirect outside DSpace web app: " + callerUrl + “. Rejecting request with 400 Bad Request.”);
response.sendError(400, "The caller URL must be within the DSpace base URL of " + request.getContextPath());
return;
}
if (request.getParameter(“ID”) != null)
{
ID = request.getParameter(“ID”);
Related news
### Impact The JSPUI controlled vocabulary servlet is vulnerable to an open redirect attack, where an attacker can craft a malicious URL that looks like a legitimate DSpace/repository URL. When that URL is clicked by the target, it redirects them to a site of the attacker's choice. _This vulnerability does NOT impact the XMLUI or 7.x._ ### Patches _DSpace 6.x:_ * Fixed in 6.x via commit: https://github.com/DSpace/DSpace/commit/f7758457b7ec3489d525e39aa753cc70809d9ad9 * 6.x patch file: https://github.com/DSpace/DSpace/commit/f7758457b7ec3489d525e39aa753cc70809d9ad9.patch (may be applied manually if an immediate upgrade to 6.4 or above is not possible) _DSpace 5.x:_ * Fixed in 5.x via commit: https://github.com/DSpace/DSpace/commit/5f72424a478f59061dcc516b866dcc687bc3f9de * 5.x patch file: https://github.com/DSpace/DSpace/commit/5f72424a478f59061dcc516b866dcc687bc3f9de.patch (may be applied manually if an immediate upgrade to 5.11 or 6,4 or above is not possible) #### Apply the patc...