GitHub Advisory DatabaseGHSA-M88M-CRR9-JVQQOpenRefine vulnerable to zip slip in project import
4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:N/I:P/A:N
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
29.4%
Impact
A carefully crafted malicious OpenRefine project tar file can be used to trigger arbitrary code execution if a user can be convinced to import it.
Patches
The vulnerability exists in all versions of OpenRefine up to and including 3.7.3. Users should update to OpenRefine 3.7.4 as soon as possible.
Workarounds
Only import OpenRefine projects from trusted sources.
References
A similar issue existed in the Create Project feature (CVE-2018-19859), which was fixed by PR #1901.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| org.openrefine:main | lt | 3.7.4 |
References
github.com/advisories/GHSA-m88m-crr9-jvqq
github.com/OpenRefine/OpenRefine/commit/e9c1e65d58b47aec8cd676bd5c07d97b002f205e
github.com/OpenRefine/OpenRefine/releases/tag/3.7.4
github.com/OpenRefine/OpenRefine/security/advisories/GHSA-m88m-crr9-jvqq
nvd.nist.gov/vuln/detail/CVE-2023-37476
www.sonarsource.com/blog/openrefine-zip-slip/
Related
4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:N/I:P/A:N
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
29.4%