Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-37476: Merge pull request from GHSA-m88m-crr9-jvqq · OpenRefine/OpenRefine@e9c1e65

OpenRefine is a free, open source tool for data processing. A carefully crafted malicious OpenRefine project tar file can be used to trigger arbitrary code execution in the context of the OpenRefine process if a user can be convinced to import it. The vulnerability exists in all versions of OpenRefine up to and including 3.7.3. Users should update to OpenRefine 3.7.4 as soon as possible. Users unable to upgrade should only import OpenRefine projects from trusted sources.

CVE
#vulnerability#ssl

Expand Up

@@ -150,4 +150,19 @@ public void metaFileUpdateTest() throws GetProjectIDException, InterruptedExcept

assertEquals(timeBeforeB, timeAfterB);

assertNotEquals(timeBeforeA, timeAfterA);

}

@Test

public void testUntarZipSlip() throws IOException {

FileProjectManager manager = new FileProjectManagerStub(workspaceDir);

File tempDir = TestUtils.createTempDirectory(“openrefine-project-import-zip-slip-test”);

try {

File subDir = new File(tempDir, “dest”);

InputStream stream = FileProjectManagerTests.class.getClassLoader().getResourceAsStream(“zip-slip.tar”);

assertThrows(IllegalArgumentException.class, () -> manager.untar(subDir, stream));

} finally {

tempDir.delete();

}

}

}

Related news

OpenRefine's Zip Slip Vulnerability Could Let Attackers Execute Malicious Code

A high-severity security flaw has been disclosed in the open-source OpenRefine data cleanup and transformation tool that could result in arbitrary code execution on affected systems. Tracked as CVE-2023-37476 (CVSS score: 7.8), the vulnerability is a Zip Slip vulnerability that could have adverse impacts when importing a specially crafted project in versions 3.7.3 and below. "Although OpenRefine

GHSA-m88m-crr9-jvqq: OpenRefine vulnerable to zip slip in project import

### Impact A carefully crafted malicious OpenRefine project tar file can be used to trigger arbitrary code execution if a user can be convinced to import it. ### Patches The vulnerability exists in all versions of OpenRefine up to and including 3.7.3. Users should update to OpenRefine 3.7.4 as soon as possible. ### Workarounds Only import OpenRefine projects from trusted sources. ### References A similar [issue](https://github.com/OpenRefine/OpenRefine/issues/1840) existed in the Create Project feature ([CVE-2018-19859](https://nvd.nist.gov/vuln/detail/CVE-2018-19859)), which was fixed by PR [#1901](https://github.com/OpenRefine/OpenRefine/pull/1901).

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907