You are here

Block title
Block content

NOW AVAILABLE: DSpace 5.5 With Security Fixes/Bug Fixes to 5.x

From Tim Donohue, DSpace Tech Lead on behalf of the DSpace developers

Austin, TX  DSpace 5.5 is now available providing security fixes to both the XMLUI and JSPUI, along with bug fixes to the DSpace 5.x platform.

• DSpace 5.5 can be downloaded immediately from:
• 5.5 Release notes are available at:

In addition, you are welcome to try out DSpace 5.5 on

5.5 Bug Fixes

  • XMLUI security fixes
    • [HIGH SEVERITY] The XMLUI "themes" path is vulnerable to a full directory traversal. (DS-3094 - requires a JIRA/Wiki account to access.) This means that ANY files on your system which are readable to the Tomcat user account may be publicly accessed via your DSpace site. This XMLUI vulnerability has existed since DSpace 1.5.x, and was discovered by Virginia Tech.
  • JSPUI security fixes
    • [MEDIUM SEVERITY] The JSPUI "Edit News" feature (accessible to Administrators) can be used to view/edit ANY files which are readable to the Tomcat user account (DS-3063 - requires a JIRA/Wiki account to access.)  This JSPUI vulnerability has existed since DSpace 4.0, and was discovered by CINECA.
  • REST fixes
    • Fixed the "/handle" endpoint (DS-2936)
    • REST webapp wasn't registering itself on startup (DS-2946)
  • OAI fixes
    • Fixed a few incorrect URL encoding issue (DS-3050)
    • Fixed the broken "NOT" filter (DS-2820)
  • Configuration fixes
    • Fixed misspelling in dcterms registry (conformsTo) (DS-2998
    • Updated our default DataCite configurations to point at the updated DataCite test server (DS-2923)
  • Other minor fixes
    • Broken SQL query in Item.findByMetadataFieldAuthority API method (DS-2517)
    • Mirage2: Ensured printing the item page from doesn't include bitstream URLs (DS-2893)

For much more information on each of these and other fixes, please visit our 5.x Release Notes:

5.5 Documentation

The DSpace 5.x documentation is available online at:

A PDF copy of the documentation can also be downloaded from:

5.5 Acknowledgments

The DSpace application would not exist without the hard work and support of the community. Thank you to the many developers who have worked very hard to deliver all the new features and improvements. Also thanks to the users who provided input and feedback on the development.

The 5.5 release was led by the Committers.

The following individuals provided code or bug fixes to the 5.5 release: Pascal-Nicolas Becker (pnbecker), Andrea Bollini (abollini), Tim Donohue (tdonohue), Claudia Juergen (cjuergen), Bram Luyten (bram-atmire), Ivan Masar (helix84), Dylan Meeus (DylanMeeus), AmberPoo1, Christian Scheible (christian-scheible), Tim Van de Langenbergh (tim-atmire), Mark Wood (mwoodiupui)

A detailed listing of all known people/institutions who contributed directly to DSpace 5.x is available in the Release Notes. If you contributed and were accidentally not listed, please let us know so that we can correct it!

As always, we are happy to hear back from the community about DSpace. Please let us know what you think of 5.5!