Page History

...

Welcome to Release 4.5, a security release for the DSpace 4.x platform. For information on upgrading to DSpace 4, please see Upgrading DSpace.  

4.5 Release Notes

...

Note
title We highly recommend ALL users of DSpace 4.x upgrade to 4.5
DSpace 4.5 contains security fixes for both the XMLUI and JSPUI. To ensure your 4.x site is secure, we highly recommend ALL DSpace 4.x users upgrade to DSpace 4.5.

...

DSpace 4.5 is a security fix release to resolve several issues located in DSpace 4.x XMLUI and JSPUI. As it only provides security-fixes, DSpace 4.5 should constitute an easy upgrade from DSpace 4.x for most users. No database changes or additional configuration changes should be necessary when upgrading from DSpace 4.x to 4.5.

...

• XMLUI security fixes:
  • [HIGH SEVERITY] The XMLUI "themes/" path is vulnerable to a full directory traversal. (DS-3094 - requires a JIRA account to access.) This means that ANY files on your system which are readable to the Tomcat user account may be publicly accessed via your DSpace website.
    • Reported by Virginia Tech
      
• JSPUI security fixes: 
  • [MEDIUM SEVERITY] The JSPUI "Edit News" feature (accessible to Administrators) can be used to view/edit ANY files which are readable to the Tomcat user account (DS-3063 - requires a JIRA account to access.)
    • Reported by CINECA

...

4.4 Release Notes

...