CVE-2022-31194 is a path traversal vulnerability affecting the DSpace open source repository software, specifically its JSPUI component used for user interface interactions. DSpace is widely used for managing and providing durable access to digital resources, often in academic, research, and cultural heritage institutions. The vulnerability resides in the resumable upload implementations within the SubmissionController and FileUploadRequest classes. An attacker with submitter privileges—meaning they have rights to submit content to at least one collection—can manipulate request parameters during the submission process to perform path traversal attacks. This allows the creation of files or directories at arbitrary locations on the server's filesystem where the Tomcat or DSpace user has write permissions. The vulnerability is limited to JSPUI versions between 4.0 and 5.11 and versions 6.0 up to but not including 6.4. Exploitation requires authenticated access with submitter rights, and anonymous or basic users cannot exploit this flaw. There are no known workarounds, and the recommended mitigation is to upgrade to a patched version of DSpace. No known exploits have been observed in the wild. The vulnerability is classified under CWE-22, indicating improper limitation of a pathname to a restricted directory, which can lead to unauthorized file system access and potential compromise of the underlying server environment.

For European organizations using DSpace, particularly universities, research institutions, and cultural heritage archives, this vulnerability poses a significant risk to the confidentiality, integrity, and availability of their digital repositories. An attacker with submitter privileges could leverage this flaw to write malicious files or scripts outside the intended directories, potentially leading to server compromise, data tampering, or disruption of repository services. This could result in unauthorized data disclosure, loss of trust, and operational downtime. Since DSpace often hosts sensitive academic and research data, exploitation could also impact intellectual property and compliance with data protection regulations such as GDPR. The requirement for submitter privileges limits the attack surface but does not eliminate risk, especially in environments with large or loosely controlled submitter user bases. The absence of known exploits in the wild suggests limited active targeting so far, but the vulnerability's nature means it could be leveraged for privilege escalation or lateral movement if combined with other weaknesses.

Organizations should prioritize upgrading DSpace installations to versions 5.11 or later for the 4.x branch and 6.4 or later for the 6.x branch, where this vulnerability is patched. Until upgrades are applied, administrators should audit and restrict submitter privileges rigorously, ensuring only trusted users have submission rights. Implement strict monitoring and logging of submission activities to detect anomalous parameter modifications indicative of exploitation attempts. Additionally, deploying web application firewalls (WAFs) with custom rules to detect and block path traversal patterns in upload requests can provide a temporary protective layer. Regularly review and harden file system permissions for the Tomcat/DSpace user to minimize writable directories outside intended paths. Conduct security awareness training for submitters to reduce the risk of insider threats or accidental misuse. Finally, maintain up-to-date backups of repository data to enable recovery in case of compromise.