Lucene search

Veracode Vulnerability DatabaseVERACODE:41431

HistoryJul 21, 2023 - 1:58 a.m.

Path Traversal

2023-07-2101:58:35

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

path traversal

openrefine

vulnerability

untar function

fileprojectmanager.java

relative paths

malicious code

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

25.5%

JSON

org.openrefine is vulnerable to Path Traversal. The vulnerability exists because the OpenRefine project tar files are not properly escaping their root directory in the untar function of FileProjectManager.java, which allows an attacker to access files outside the expected directory using relative paths and inject and execute maliciously code if they can convince a user to import the project archive.

CPENameOperatorVersion
openrefine - mainle3.7.3
openrefine - mainle3.7.3

CPE	Name	Operator	Version
	openrefine - main	le	3.7.3
	openrefine - main	le	3.7.3

References

github.com/OpenRefine/OpenRefine/commit/c40c84d8170c4d61c6a0926531b552a50caa5651

github.com/OpenRefine/OpenRefine/commit/e9c1e65d58b47aec8cd676bd5c07d97b002f205e

github.com/OpenRefine/OpenRefine/security/advisories/GHSA-m88m-crr9-jvqq

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

25.5%

JSON

Related for VERACODE:41431