CVE-2022-31190 is a medium-severity vulnerability affecting the DSpace open source repository software, specifically versions from 4.0 up to but not including 6.4. DSpace is widely used for managing and providing durable access to digital resources, often in academic, research, and cultural heritage institutions. The vulnerability resides in the XMLUI component of DSpace, which is responsible for the user interface. When an item in the repository is withdrawn, its metadata should no longer be publicly accessible. However, due to this vulnerability, metadata for withdrawn items remains exposed via the "mets.xml" object accessible through the XMLUI, provided an attacker knows the handle or URL of the withdrawn item. This exposure constitutes an information disclosure flaw categorized under CWE-200, where sensitive information is accessible to unauthorized actors. The vulnerability does not affect other UI components or the core repository functionality, and no authentication or user interaction is required to exploit it, only knowledge of the withdrawn item's handle or URL. No known exploits have been reported in the wild, and the vendor recommends upgrading to version 6.4 or newer to remediate the issue.

For European organizations, particularly academic institutions, libraries, and cultural heritage repositories that rely on DSpace for digital asset management, this vulnerability poses a risk of unauthorized disclosure of sensitive metadata. Metadata may include descriptive information about withdrawn items that could reveal confidential research data, personal information, or intellectual property that was intended to be removed from public access. Although the core content of withdrawn items is not exposed, metadata leakage can still undermine privacy, confidentiality, and compliance with data protection regulations such as GDPR. The impact is primarily on confidentiality, with no direct effect on system integrity or availability. Since exploitation requires knowledge of the withdrawn item's handle or URL, the scope is limited to items where such information is guessable or previously known. However, given the widespread use of DSpace in European academic and research sectors, the vulnerability could lead to reputational damage and regulatory scrutiny if sensitive metadata is exposed.

Organizations should upgrade DSpace installations to version 6.4 or later, where this vulnerability has been addressed. In addition to upgrading, administrators should audit withdrawn items to identify any sensitive metadata that may have been exposed and consider re-withdrawing or sanitizing metadata fields as needed. Access logs should be monitored for unusual requests to "mets.xml" objects of withdrawn items to detect potential reconnaissance or exploitation attempts. If immediate upgrading is not feasible, organizations can implement web application firewall (WAF) rules to block or restrict access to "mets.xml" endpoints for withdrawn items or require authentication for accessing metadata views. Furthermore, organizations should review and tighten URL handle distribution policies to limit exposure of withdrawn item URLs. Regular security assessments and metadata access reviews should be integrated into repository management processes to prevent similar issues.