CVE-2021-41189 – CVE-2021-41189 is a privilege escalation vulner... (How to Fix)

Q: What is the severity of CVE-2021-41189?

CVE-2021-41189 has a CVSS score of 7.2 (HIGH). CVE-2021-41189 is a privilege escalation vulnerability in DSpace 7.0 where community or collection administrators can elevate their permissions to become system administrators. This allows unauthorized users to gain full administrative control over the repository system. Only DSpace 7.0 installations are affected.

📋 TL;DR

CVE-2021-41189 is a privilege escalation vulnerability in DSpace 7.0 where community or collection administrators can elevate their permissions to become system administrators. This allows unauthorized users to gain full administrative control over the repository system. Only DSpace 7.0 installations are affected.

💻 Affected Systems

Products:

DSpace

Versions: 7.0 only

Operating Systems: All platforms running DSpace

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects DSpace 7.0; versions 6.x and below are not vulnerable. The vulnerability exists in the permission management interface.

📦 What is this software?

Dspace by Duraspace

View all CVEs affecting Dspace →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with community/collection admin access gains full system administrator privileges, allowing complete control over the repository including data manipulation, user management, and system configuration changes.

🟠

Likely Case

Malicious or compromised community/collection administrators escalate to system admin and perform unauthorized actions like data exfiltration, privilege manipulation, or system disruption.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to detection of unauthorized privilege escalation attempts and containment of affected accounts.

🌐 Internet-Facing: HIGH - DSpace repositories are typically internet-facing, and any community/collection admin account compromise leads to full system compromise.

🏢 Internal Only: MEDIUM - Internal-only deployments reduce external attack surface but still vulnerable to insider threats or compromised internal accounts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires existing community or collection administrator credentials. The vulnerability is in the web interface and likely easy to exploit once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.1

Vendor Advisory: https://github.com/DSpace/DSpace/security/advisories/GHSA-cf2j-vf36-c6w8

Restart Required: Yes

Instructions:

1. Backup your DSpace installation and database. 2. Download DSpace 7.1 from the official repository. 3. Follow the upgrade instructions at https://wiki.lyrasis.org/display/DSDOC7x/Upgrading+DSpace. 4. Restart the application server.

🔧 Temporary Workarounds

Disable permission management for community/collection admins

all

Temporarily remove ability for community or collection administrators to manage permissions or workflow settings as suggested in the advisory.

Modify DSpace configuration to restrict permission management capabilities for non-system administrators

🧯 If You Can't Patch

Implement strict monitoring of community/collection admin activities and privilege changes
Reduce number of community/collection administrators to minimum required and implement additional authentication controls

🔍 How to Verify

Check if Vulnerable:

Check DSpace version: if running 7.0, you are vulnerable. Review user roles and recent permission changes in admin logs.

Check Version:

Check DSpace web interface admin panel or examine dspace.version property in configuration files

Verify Fix Applied:

Confirm DSpace version is 7.1 or higher. Test that community/collection admins cannot escalate to system admin privileges.

📡 Detection & Monitoring

Log Indicators:

Unexpected permission escalation events
Community/collection admin accounts gaining system admin privileges
Changes to system configuration by non-system administrators

Network Indicators:

Unusual admin interface access patterns from community/collection admin accounts

SIEM Query:

source="dspace.log" AND ("permission escalation" OR "admin privilege" OR "system.admin")

📊 Metadata

CVE ID: CVE-2021-41189

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-863

Published: October 29, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/DSpace/DSpace/commit/277b499a5cd3a4f5eb2370513a1b7e4ec2a6e041 Patch,Third Party Advisory
https://github.com/DSpace/DSpace/commit/c3bea16ab911606e15ae96c97a1575e1ffb14f8a Patch,Third Party Advisory
https://github.com/DSpace/DSpace/issues/7928 Exploit,Third Party Advisory
https://github.com/DSpace/DSpace/security/advisories/GHSA-cf2j-vf36-c6w8 Third Party Advisory
https://github.com/DSpace/DSpace/commit/277b499a5cd3a4f5eb2370513a1b7e4ec2a6e041 Patch,Third Party Advisory
https://github.com/DSpace/DSpace/commit/c3bea16ab911606e15ae96c97a1575e1ffb14f8a Patch,Third Party Advisory
https://github.com/DSpace/DSpace/issues/7928 Exploit,Third Party Advisory
https://github.com/DSpace/DSpace/security/advisories/GHSA-cf2j-vf36-c6w8 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-41189, you might also want to check these: