CVE-2018-20157: XEE
First published: Fri Dec 14 2018(Updated: )
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Openrefine Openrefine | <=3.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID of this OpenRefine vulnerability?
The vulnerability ID of this OpenRefine vulnerability is CVE-2018-20157.
What is the severity of CVE-2018-20157?
The severity of CVE-2018-20157 is high with a CVSS score of 7.5.
How does the vulnerability in OpenRefine through 3.1 allow an attacker to read arbitrary files?
The vulnerability in OpenRefine through 3.1 allows an attacker to read arbitrary files through a crafted (zip) file by exploiting an XML External Entity (XXE) attack.
Which software version is affected by CVE-2018-20157?
The software version affected by CVE-2018-20157 is OpenRefine up to and including version 3.1.
Is there any fix available for CVE-2018-20157?
Yes, a fix is available for CVE-2018-20157. It is recommended to update OpenRefine to a version that is not affected by the vulnerability.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- agent/references
- agent/remedy
- agent/author
- agent/weakness
- agent/first-publish-date
- agent/event
- agent/description
- agent/tags
- agent/source
- vendor/openrefine
- canonical/openrefine openrefine
- version/openrefine openrefine/3.1