CVE-2022-31195: 
Java vulnerability analysis and mitigation

CVE-2022-31195 is a path traversal vulnerability discovered in DSpace's ItemImportServiceImpl that affects versions 4.0 through 6.3. The vulnerability was discovered by Johannes Moritz of Ripstech and publicly disclosed on July 29, 2022. This security flaw affects the XMLUI, JSPUI, and command-line interfaces of DSpace, but does not impact version 7.x (GitHub Advisory).

The vulnerability is classified as a path traversal issue (CWE-22) with a High severity rating. It exists in the Simple Archive Format (SAF) package import functionality, where the ItemImportServiceImpl component fails to properly validate file paths during the extraction of ZIP archives. This could allow malicious SAF packages to create files or directories anywhere the Tomcat/DSpace user has write permissions on the server (GitHub Advisory).

If exploited, this vulnerability could allow an attacker to create files or directories in any location where the Tomcat/DSpace user has write permissions on the server. However, the impact is limited as the vulnerability can only be exploited by users with special privileges, specifically administrators or users with command-line access to the server (GitHub Advisory).

The vulnerability has been patched in DSpace versions 6.4 and 5.11. For those unable to upgrade immediately, workarounds include blocking access to specific URL paths: '/admin/batchimport' for XMLUI and '/dspace-admin/batchimport' for JSPUI. Additionally, patches can be manually applied using the provided patch files for both 6.x and 5.x versions. The fix involves implementing proper path validation during ZIP extraction to prevent directory traversal attacks (GitHub Advisory).