CVE-2022-31193: 
Java vulnerability analysis and mitigation

The DSpace JSPUI (Java Server Pages User Interface) controlled vocabulary servlet was found to be vulnerable to an open redirect attack in versions 4.0 through 6.3. This vulnerability, identified as CVE-2022-31193, was discovered and reported by Johannes Moritz of Ripstech. The issue allows attackers to craft malicious URLs that appear legitimate but redirect users to arbitrary external websites. The vulnerability was disclosed on July 29, 2022 and affects only the JSPUI component, not the XMLUI or 7.x versions (GitHub Advisory).

The vulnerability exists in the controlled vocabulary servlet's URL handling mechanism where insufficient validation of the callerUrl parameter allows redirection to external URLs. The issue stems from a lack of proper validation to ensure redirects remain within the DSpace web application context. The vulnerability has been assigned a High severity rating due to its potential for phishing attacks (GitHub Advisory).

An attacker can exploit this vulnerability to perform phishing attacks by creating malicious URLs that appear to be legitimate DSpace/repository URLs. When users click these URLs, they are redirected to arbitrary external websites controlled by the attacker. This could lead to credential theft or other malicious activities through social engineering (GitHub Advisory).

The vulnerability has been patched in DSpace versions 6.4 and 5.11. For users unable to upgrade immediately, patches are available via commits f775845 for version 6.x and 5f72424 for version 5.x. The fix involves adding validation to ensure the callerUrl parameter starts with the DSpace request context path. Users are advised to either upgrade to the patched versions or apply the available patches manually (GitHub Advisory).