Description
DSpace is an open source turnkey repository application. In version 7.0, any community or collection administrator can escalate their permission up to become system administrator. This vulnerability only exists in 7.0 and does not impact 6.x or below. This issue is patched in version 7.1. As a workaround, users of 7.0 may temporarily disable the ability for community or collection administrators to manage permissions or workflows settings.
References (4)
Core 4
Core References
Third Party Advisory x_refsource_confirm
https://github.com/DSpace/DSpace/security/advisories/GHSA-cf2j-vf36-c6w8
Exploit, Third Party Advisory x_refsource_misc
https://github.com/DSpace/DSpace/issues/7928
Patch, Third Party Advisory x_refsource_misc
https://github.com/DSpace/DSpace/commit/277b499a5cd3a4f5eb2370513a1b7e4ec2a6e041
Patch, Third Party Advisory x_refsource_misc
https://github.com/DSpace/DSpace/commit/c3bea16ab911606e15ae96c97a1575e1ffb14f8a
Scores
CVSS v3
7.2
EPSS
0.0199
EPSS Percentile
78.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-863
Status
published
Products (2)
duraspace/dspace
7.0
org.dspace/dspace-api
7.0 - 7.1Maven
Published
Oct 29, 2021
Tracked Since
Feb 18, 2026