CVE-2022-31193

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-31193

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-31193.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2022-31193

Aliases

GHSA-763j-q7wv-vf3m

Related

GHSA-763j-q7wv-vf3m

Published

2022-08-01T21:15:13Z

Modified

2025-09-19T13:56:29.027214Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

DSpace open source software is a repository application which provides durable access to digital resources. dspace-jspui is a UI component for DSpace. The JSPUI controlled vocabulary servlet is vulnerable to an open redirect attack, where an attacker can craft a malicious URL that looks like a legitimate DSpace/repository URL. When that URL is clicked by the target, it redirects them to a site of the attacker's choice. This issue has been patched in versions 5.11 and 6.4. Users are advised to upgrade. There are no known workaround for this vulnerability.

References

Affected packages

Git / github.com/dspace/dspace

Affected ranges

Type: GIT
Repo: https://github.com/dspace/dspace
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

5f72424a478f59061dcc516b866dcc687bc3f9de

Fixed

f7758457b7ec3489d525e39aa753cc70809d9ad9

Affected versions

dspace-3.*

dspace-3.0

dspace-3.0-rc1

dspace-3.0-rc2

dspace-3.0-rc3

dspace-4.*

dspace-4.0

dspace-4.0-rc1

dspace-4.0-rc2

dspace-4.0-rc3

dspace-5.*

dspace-5.0

dspace-5.0-rc1

dspace-5.0-rc2

dspace-5.0-rc3

dspace-5.1

dspace-5.10

dspace-5.2

dspace-5.3

dspace-5.4

dspace-5.5

dspace-5.6

dspace-5.7

dspace-5.8

dspace-5.9

dspace-6.*

dspace-6.0

dspace-6.0-pre-DS-2701

dspace-6.0-rc1

dspace-6.0-rc2

dspace-6.0-rc3

dspace-6.0-rc4

dspace-6.1

dspace-6.2

dspace-6.3

Database specific

{
    "vanir_signatures": [
        {
            "id": "CVE-2022-31193-07f0f981",
            "signature_type": "Line",
            "digest": {
                "line_hashes": [
                    "194256693938643061146082747784343617780",
                    "74097944488310406589478838007677848881",
                    "274268665387351830738484623536498219154",
                    "8206378877108847774533840159145203315",
                    "146508925465581470121161005701242566557",
                    "140751182846231614761886246628891142077",
                    "70468589860306572260587328004349284239",
                    "291195736580888230876166404512085943559",
                    "206362487785960115410173619202220527132"
                ],
                "threshold": 0.9
            },
            "target": {
                "file": "dspace-jspui/src/main/java/org/dspace/app/webui/servlet/ControlledVocabularyServlet.java"
            },
            "deprecated": false,
            "signature_version": "v1",
            "source": "https://github.com/dspace/dspace/commit/5f72424a478f59061dcc516b866dcc687bc3f9de"
        },
        {
            "id": "CVE-2022-31193-1b7d076c",
            "signature_type": "Function",
            "digest": {
                "function_hash": "119780573979426861905177072604783249930",
                "length": 554.0
            },
            "target": {
                "file": "dspace-jspui/src/main/java/org/dspace/app/webui/servlet/ControlledVocabularyServlet.java",
                "function": "doDSGet"
            },
            "deprecated": false,
            "signature_version": "v1",
            "source": "https://github.com/dspace/dspace/commit/5f72424a478f59061dcc516b866dcc687bc3f9de"
        },
        {
            "id": "CVE-2022-31193-476b8510",
            "signature_type": "Line",
            "digest": {
                "line_hashes": [
                    "194256693938643061146082747784343617780",
                    "74097944488310406589478838007677848881",
                    "274268665387351830738484623536498219154",
                    "8206378877108847774533840159145203315",
                    "146508925465581470121161005701242566557",
                    "140751182846231614761886246628891142077",
                    "70468589860306572260587328004349284239",
                    "291195736580888230876166404512085943559",
                    "206362487785960115410173619202220527132"
                ],
                "threshold": 0.9
            },
            "target": {
                "file": "dspace-jspui/src/main/java/org/dspace/app/webui/servlet/ControlledVocabularyServlet.java"
            },
            "deprecated": false,
            "signature_version": "v1",
            "source": "https://github.com/dspace/dspace/commit/f7758457b7ec3489d525e39aa753cc70809d9ad9"
        },
        {
            "id": "CVE-2022-31193-85275fcc",
            "signature_type": "Function",
            "digest": {
                "function_hash": "119780573979426861905177072604783249930",
                "length": 554.0
            },
            "target": {
                "file": "dspace-jspui/src/main/java/org/dspace/app/webui/servlet/ControlledVocabularyServlet.java",
                "function": "doDSGet"
            },
            "deprecated": false,
            "signature_version": "v1",
            "source": "https://github.com/dspace/dspace/commit/f7758457b7ec3489d525e39aa753cc70809d9ad9"
        }
    ]
}