dspace-xmlui is vulnerable to information disclosure. The vulnerability exists because the generate
function of DSpaceMETSGenerator.java
does not properly check the read permissions for METS
values, allowing an attacker to gain sensitive information through the XMLUI mets.xml
object.
github.com/DSpace/DSpace/commit/574e25496a40173653ae7d0a49a19ed8e3458606
github.com/DSpace/DSpace/commit/574e25496a40173653ae7d0a49a19ed8e3458606.patch
github.com/DSpace/DSpace/pull/2451
github.com/DSpace/DSpace/security/advisories/GHSA-7w85-pp86-p4pq
jira.duraspace.org/browse/DS-1922
jira.duraspace.org/browse/DS-304