CVE-2022-31190: 
Java vulnerability analysis and mitigation

CVE-2022-31190 affects dspace-xmlui, a UI component for DSpace. The vulnerability allows metadata on a withdrawn Item to be exposed via the XMLUI 'mets.xml' object, as long as the handle/URL of the withdrawn Item is known. This security issue was discovered and reported by David Cavrenne of Atmire (GitHub Advisory).

The vulnerability exists in DSpace versions 4.0 through 6.3 and specifically affects the XMLUI component. The issue occurs because the METS generator does not properly check for READ permissions before exposing item metadata. This vulnerability only impacts the XMLUI interface and does not affect JSPUI or DSpace 7.x versions (GitHub Advisory).

The impact of this vulnerability is considered low severity as Item metadata typically does not contain highly secure or sensitive information. However, unauthorized users can access metadata of withdrawn items if they know the handle/URL, potentially exposing information that was intended to be restricted (GitHub Advisory).

For immediate mitigation, administrators can permanently delete withdrawn items that contain sensitive information in their metadata. The long-term fix requires upgrading to DSpace 6.4 or later. For those unable to upgrade immediately, a patch is available that can be manually applied to affected versions. The patch implements proper permission checking in the METS generator (GitHub Advisory).