CVE-2023-37476

Zip slip in OpenRefine

Description

OpenRefine is a free, open source tool for data processing. A carefully crafted malicious OpenRefine project tar file can be used to trigger arbitrary code execution in the context of the OpenRefine process if a user can be convinced to import it. The vulnerability exists in all versions of OpenRefine up to and including 3.7.3. Users should update to OpenRefine 3.7.4 as soon as possible. Users unable to upgrade should only import OpenRefine projects from trusted sources.

References

Link	Tags
https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-m88m-crr9-jvqq	vendor advisory
https://github.com/OpenRefine/OpenRefine/commit/e9c1e65d58b47aec8cd676bd5c07d97b002f205e	patch

Frequently Asked Questions

What is the severity of CVE-2023-37476?: CVE-2023-37476 has been scored as a medium severity vulnerability.
How to fix CVE-2023-37476?: To fix CVE-2023-37476, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-37476 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2023-37476 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-37476?: CVE-2023-37476 affects OpenRefine OpenRefine.

This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.

Description

Category

CWE-22 – Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

References

Frequently Asked Questions