Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1tODhtLWNycjktanZxcc4AA0xq
OpenRefine vulnerable to zip slip in project import
Impact
A carefully crafted malicious OpenRefine project tar file can be used to trigger arbitrary code execution if a user can be convinced to import it.
Patches
The vulnerability exists in all versions of OpenRefine up to and including 3.7.3. Users should update to OpenRefine 3.7.4 as soon as possible.
Workarounds
Only import OpenRefine projects from trusted sources.
References
A similar issue existed in the Create Project feature (CVE-2018-19859), which was fixed by PR #1901.
Permalink: https://github.com/advisories/GHSA-m88m-crr9-jvqqJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tODhtLWNycjktanZxcc4AA0xq
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 10 months ago
Updated: 6 months ago
CVSS Score: 5.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
Identifiers: GHSA-m88m-crr9-jvqq, CVE-2023-37476
References:
- https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-m88m-crr9-jvqq
- https://nvd.nist.gov/vuln/detail/CVE-2023-37476
- https://github.com/OpenRefine/OpenRefine/commit/e9c1e65d58b47aec8cd676bd5c07d97b002f205e
- https://github.com/OpenRefine/OpenRefine/releases/tag/3.7.4
- https://www.sonarsource.com/blog/openrefine-zip-slip/
- https://github.com/advisories/GHSA-m88m-crr9-jvqq
Blast Radius: 9.9
Affected Packages
maven:org.openrefine:main
Dependent packages: 8Dependent repositories: 64
Downloads:
Affected Version Ranges: < 3.7.4
Fixed in: 3.7.4
All affected versions: 3.6.0, 3.6.1, 3.6.2, 3.7.0, 3.7.2
All unaffected versions: 3.8.0