GHSA-m88m-crr9-jvqq
Suggest an improvement- Source
- https://github.com/advisories/GHSA-m88m-crr9-jvqq
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-m88m-crr9-jvqq/GHSA-m88m-crr9-jvqq.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-m88m-crr9-jvqq
- Aliases
- Published
- 2023-07-18T18:47:27Z
- Modified
- 2024-02-16T07:56:25.046130Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L CVSS Calculator
- Summary
- OpenRefine vulnerable to zip slip in project import
- Details
-
Impact
A carefully crafted malicious OpenRefine project tar file can be used to trigger arbitrary code execution if a user can be convinced to import it.
Patches
The vulnerability exists in all versions of OpenRefine up to and including 3.7.3. Users should update to OpenRefine 3.7.4 as soon as possible.
Workarounds
Only import OpenRefine projects from trusted sources.
References
A similar issue existed in the Create Project feature (CVE-2018-19859), which was fixed by PR #1901.
- Database specific
{ "nvd_published_at": "2023-07-17T22:15:09Z", "cwe_ids": [ "CWE-22" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2023-07-18T18:47:27Z" }- References
-
- https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-m88m-crr9-jvqq
- https://nvd.nist.gov/vuln/detail/CVE-2023-37476
- https://github.com/OpenRefine/OpenRefine/commit/e9c1e65d58b47aec8cd676bd5c07d97b002f205e
- https://github.com/OpenRefine/OpenRefine
- https://github.com/OpenRefine/OpenRefine/releases/tag/3.7.4
- https://www.sonarsource.com/blog/openrefine-zip-slip
Affected packages
Maven / org.openrefine:main
Package
- Name
- org.openrefine:main
- View open source insights on deps.dev
- Purl
- pkg:maven/org.openrefine/main