Headline
GHSA-m88m-crr9-jvqq: OpenRefine vulnerable to zip slip in project import
Impact
A carefully crafted malicious OpenRefine project tar file can be used to trigger arbitrary code execution if a user can be convinced to import it.
Patches
The vulnerability exists in all versions of OpenRefine up to and including 3.7.3. Users should update to OpenRefine 3.7.4 as soon as possible.
Workarounds
Only import OpenRefine projects from trusted sources.
References
A similar issue existed in the Create Project feature (CVE-2018-19859), which was fixed by PR #1901.
Package
maven org.openrefine:main (Maven)
Affected versions
< 3.7.4
Patched versions
3.7.4
Description
Impact
A carefully crafted malicious OpenRefine project tar file can be used to trigger arbitrary code execution if a user can be convinced to import it.
Patches
The vulnerability exists in all versions of OpenRefine up to and including 3.7.3. Users should update to OpenRefine 3.7.4 as soon as possible.
Workarounds
Only import OpenRefine projects from trusted sources.
References
A similar issue existed in the Create Project feature (CVE-2018-19859), which was fixed by PR #1901.
References
- GHSA-m88m-crr9-jvqq
- https://nvd.nist.gov/vuln/detail/CVE-2023-37476
- OpenRefine/OpenRefine@e9c1e65
- https://github.com/OpenRefine/OpenRefine/releases/tag/3.7.4
wetneb published to OpenRefine/OpenRefine
Jul 17, 2023
Published to the GitHub Advisory Database
Jul 18, 2023
Reviewed
Jul 18, 2023
Last updated
Jul 18, 2023
Related news
A high-severity security flaw has been disclosed in the open-source OpenRefine data cleanup and transformation tool that could result in arbitrary code execution on affected systems. Tracked as CVE-2023-37476 (CVSS score: 7.8), the vulnerability is a Zip Slip vulnerability that could have adverse impacts when importing a specially crafted project in versions 3.7.3 and below. "Although OpenRefine
OpenRefine is a free, open source tool for data processing. A carefully crafted malicious OpenRefine project tar file can be used to trigger arbitrary code execution in the context of the OpenRefine process if a user can be convinced to import it. The vulnerability exists in all versions of OpenRefine up to and including 3.7.3. Users should update to OpenRefine 3.7.4 as soon as possible. Users unable to upgrade should only import OpenRefine projects from trusted sources.