7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
25.5%
OpenRefine is a free, open source tool for data processing. A carefully
crafted malicious OpenRefine project tar file can be used to trigger
arbitrary code execution in the context of the OpenRefine process if a user
can be convinced to import it. The vulnerability exists in all versions of
OpenRefine up to and including 3.7.3. Users should update to OpenRefine
3.7.4 as soon as possible. Users unable to upgrade should only import
OpenRefine projects from trusted sources.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 22.04 | noarch | openrefine | < any | UNKNOWN |
ubuntu | 23.10 | noarch | openrefine | < any | UNKNOWN |
ubuntu | 24.04 | noarch | openrefine | < any | UNKNOWN |
github.com/OpenRefine/OpenRefine/commit/e9c1e65d58b47aec8cd676bd5c07d97b002f205e
github.com/OpenRefine/OpenRefine/security/advisories/GHSA-m88m-crr9-jvqq
launchpad.net/bugs/cve/CVE-2023-37476
nvd.nist.gov/vuln/detail/CVE-2023-37476
security-tracker.debian.org/tracker/CVE-2023-37476
www.cve.org/CVERecord?id=CVE-2023-37476