CVE-2023-37476: Zip slip in OpenRefine
First published: Mon Jul 17 2023(Updated: )
OpenRefine is a free, open source tool for data processing. A carefully crafted malicious OpenRefine project tar file can be used to trigger arbitrary code execution in the context of the OpenRefine process if a user can be convinced to import it. The vulnerability exists in all versions of OpenRefine up to and including 3.7.3. Users should update to OpenRefine 3.7.4 as soon as possible. Users unable to upgrade should only import OpenRefine projects from trusted sources.
Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Openrefine Openrefine | <=3.7.3 | |
| maven/org.openrefine:main | <3.7.4 | 3.7.4 |
| debian/openrefine | 3.6.2-2+deb12u2 3.8.7-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/OpenRefine/OpenRefine/commit/e9c1e65d58b47aec8cd676bd5c07d97b002f205e
- https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-m88m-crr9-jvqq
- https://nvd.nist.gov/vuln/detail/CVE-2023-37476
- https://github.com/OpenRefine/OpenRefine/releases/tag/3.7.4
- https://www.sonarsource.com/blog/openrefine-zip-slip/
- https://github.com/advisories/GHSA-m88m-crr9-jvqq (Advisory)
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-37476
- https://launchpad.net/bugs/cve/CVE-2023-37476
- https://security-tracker.debian.org/tracker/CVE-2023-37476
- https://ubuntu.com/security/CVE-2023-37476
- https://github.com/OpenRefine/OpenRefine/commit/c40c84d8170c4d61c6a0926531b552a50caa5651
Frequently Asked Questions
What is the impact of CVE-2023-37476?
A carefully crafted malicious OpenRefine project tar file can be used to trigger arbitrary code execution if a user can be convinced to import it.
How do I fix CVE-2023-37476?
Users should update to OpenRefine 3.7.4.
Which versions of OpenRefine are affected by CVE-2023-37476?
All versions of OpenRefine up to and including 3.7.3 are affected.
What is the severity of CVE-2023-37476?
The severity of CVE-2023-37476 is high with a CVSS score of 7.8.
What is the Common Weakness Enumeration (CWE) for CVE-2023-37476?
The Common Weakness Enumeration (CWE) for CVE-2023-37476 is CWE-22.
- collector/nvd-latest
- collector/nvd-index
- collector/github-advisory-latest
- alias/GHSA-m88m-crr9-jvqq
- alias/CVE-2023-37476
- collector/github-advisory
- collector/nvd-cve
- agent/type
- agent/softwarecombine
- collector/nvd-api
- agent/software-canonical-lookup-request
- agent/author
- agent/severity
- agent/remedy
- agent/weakness
- agent/title
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/trending
- collector/usn-cve
- source/Ubuntu
- agent/source
- agent/description
- agent/tags
- agent/references
- agent/event
- collector/launchpad-cve
- source/Launchpad
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- vendor/openrefine
- canonical/openrefine openrefine
- version/openrefine openrefine/3.7.3
- package-manager/maven
- package-manager/debian