当前位置: 首页 > news >正文

DSpace issue2: EPerson byEmail Search Leaks Account Authorization Properties

news 2026/6/18 12:58:08

Vulnerability call chain

1.1 Summary

DSpace has a missing authorization vulnerability: EPerson byEmail Search Leaks Account Authorization Properties. Unauthorized disclosure of EPerson account attributes including email, netid, canLogIn, requireCertificate, selfRegistered, and lastActive. These are authorization/authentication-related properties, especially netid and login flags

  • Attack precondition: The attacker can call GET /api/eperson/epersons/search/byEmail and knows or guesses a target email address
  • Security impact: Unauthorized disclosure of EPerson account attributes including email, netid, canLogIn, requireCertificate, selfRegistered, and lastActive. These are authorization/authentication-related properties, especially netid and login flags

1.2 Exploit path

GET /api/eperson/epersons/search/byEmail?email=<target> calls findByEmail() without method-level @PreAuthorize. The result is converted to EPersonRest, exposing account fields that normally require EPERSON READ via the direct findOne endpoint

1.3 Key code evidence

  1. EPersonRestRepository.java

Evidence location: EPersonRestRepository.java
2. EPersonConverter.java

Evidence location: EPersonConverter.java
3. EPersonRestPermissionEvaluatorPlugin.java

Evidence location: EPersonRestPermissionEvaluatorPlugin.java

3. Root Cause Analysis

Root Cause 1: Missing server-side authorization on the vulnerable operation.

The endpoint accepts user-controlled authorization-sensitive identifiers or fields, but the write/read path does not prove that the current caller may operate on the target object.

Root Cause 2: Missing object-scope or grant-bound validation.

The implementation relies on endpoint access, UI filtering, or object existence checks instead of enforcing target ownership, tenant boundary, role ceiling, or grantable-resource constraints at the service layer.

Add @PreAuthorize("hasPermission(#email, 'EPERSON', 'READ')") equivalent logic after resolving the target EPerson, or restrict byEmail to admin / self and return a minimized response for other users

5. Verification after fix

  • Unauthorized callers receive HTTP 403 or equivalent rejection.
  • Out-of-scope target identifiers are rejected before database writes or sensitive reads.
  • Role, permission, tenant, organization, ownership, or grant-bound ceilings are enforced server-side.
  • Direct HTTP requests are rejected even when front-end controls are hidden.
http://www.gsyq.cn/news/1547796.html

相关文章:

  • 2026西安焊缝探伤检测权威机构排行 TOP 本地高频选择,无损检测 + UT+RT+PT 检测 附电话地址 - 中安检测集团
  • QQ截图独立版:终极免费截图工具完整使用指南
  • MCMS issue4: Content copy uses `cms:content:save` to read and clone source content
  • jwt修改kid指向已知文件加密绕过
  • ATM网络APC流量控制算法:原理、参数计算与工程实践详解
  • DSpace issue3: Registration Token Path Allows Arbitrary netid Binding
  • Honey Select 2汉化去码补丁:5分钟打造完美游戏体验
  • 2026西宁焊缝探伤检测权威机构排行 TOP 本地高频选择,无损检测 + UT+RT+PT 检测 附电话地址 - 中安检测集团
  • B站缓存视频容器格式转换技术实现:m4s-converter架构解析与应用指南
  • 模型量化:从 FP16 到 INT4,怎么平衡精度和速度
  • 实战指南:3步部署Qwen2-7B-Instruct,解锁企业级AI助手核心功能
  • JEEWMS issue2: `updateAuthority` 可改写角色功能权限
  • 如何快速获取网盘直链:2025年最新下载方案终极指南
  • 山南市空调维修/中央空调维修|本地避坑指南,满分五星平台|欧米到家首选 - 欧米到家
  • Linux进程创建实验详解:从fork()原理到实践应用
  • 2026西双版纳焊缝探伤检测权威机构排行 TOP 本地高频选择,无损检测 + UT+RT+PT 检测 附电话地址 - 中安检测集团
  • JEEWMS issue3: `updateDataRule` 可改写角色数据规则
  • 2026锡林郭勒盟焊缝探伤检测权威机构排行 TOP 本地高频选择,无损检测 + UT+RT+PT 检测 附电话地址 - 中安检测集团
  • SSRF 302跳转
  • 2026乌鲁木齐焊缝探伤检测权威机构排行 TOP 本地高频选择,无损检测 + UT+RT+PT 检测 附电话地址 - 中安检测集团
  • 5年,一个程序员是如何把私有化在线客服系统做到第一名的
  • 计算机毕业设计之办公耗材管理系统
  • 2026延安焊缝探伤检测权威机构排行 TOP 本地高频选择,无损检测 + UT+RT+PT 检测 附电话地址 - 中安检测集团
  • RuoYi issue4: Unauthorized Role Assignment Deletion
  • 2026 年人来灯亮智能开关推荐:优智者感应灵敏 - 思溯深度专栏
  • 用过才敢说!2026年最值得用的专业AI论文平台
  • 2026内江焊缝探伤检测权威机构排行 TOP 本地高频选择,无损检测 + UT+RT+PT 检测 附电话地址 - 中安检测集团
  • hu
  • 2026黔南焊缝探伤检测权威机构排行 TOP 本地高频选择,无损检测 + UT+RT+PT 检测 附电话地址 - 中安检测集团
  • Hermes Agent Skill Runtime 架构拆解:让 AI Agent 不再从零开始