Zip slip in OpenRefine
CVE-2023-37476

7.8HIGH

Key Information:

Vendor

Openrefine

Status
Openrefine
Vendor
CVE Published:
17 July 2023

What is CVE-2023-37476?

The vulnerability affects OpenRefine, an open-source tool for data processing, where a specially crafted malicious tar file can lead to arbitrary code execution within the OpenRefine process. This occurs if a user is persuaded to import the tainted project file. All OpenRefine versions up to and including 3.7.3 are impacted. It is recommended that users update to OpenRefine version 3.7.4 immediately. Users unable to perform the upgrade should restrict importing OpenRefine projects solely to those from trusted sources to mitigate risks.

Affected Version(s)

OpenRefine < 3.7.4

References

https://github.com/OpenRefine/OpenRefine/security/advisor...
x_refsource_CONFIRM
https://github.com/OpenRefine/OpenRefine/commit/e9c1e65d5...
x_refsource_MISC
https://github.com/OpenRefine/OpenRefine/releases/tag/3.7.4
x_refsource_MISC

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.