Security researcher Stefan Schiller from Sonar recently disclosed a critical security vulnerability in OpenRefine that allows unauthenticated attackers to execute arbitrary code on the user’s machine. Sonar published details on this vulnerability on Sep 28, 2023, upon the release of a patch to the flaw. The vulnerability tracked as CVE-2023-37476 has a CVSS score of 7.8, making it high in severity. Sonar shared in its blog that it caught this vulnerability as part of its continued efforts to scan open-source projects for security vulnerabilities using SonarCloud, a free code analysis product for open-source projects.
In this blog post, we covered what this Zip Slip vulnerability is, provided background on OpenRefine, summarized the vulnerability, outlined the affected versions, and, most importantly – explained how to fix CVE-2023-37476, a Zip Slip Vulnerability in OpenRefine. We urge the users of OpenRefine to fix the CVE-2023-37476 vulnerability to avoid potential compromise.
A Zip Slip vulnerability stems from inadequate path validation when extracting zip archives. This allows attackers to overwrite existing files or extract files to unintended locations outside of the intended destination folder.
By exploiting a Zip Slip vulnerability, attackers can write files to arbitrary locations on the file system. This can be leveraged to achieve remote code execution by overwriting sensitive files like SSH keys, adding new users, or even creating cron jobs.
OpenRefine is a popular open-source data cleaning and transformation tool. It provides a web interface to load, clean, transform, and extend datasets. OpenRefine runs as a local web server on the user’s machine. The web interface allows data cleaning operations to be done comfortably through the browser.
Some key features of OpenRefine include:
Import data from local files, web URLs, databases, etc.
Identify data types and convert columns into appropriate types like numbers, dates, etc.
Sort, filter, facet, and cluster data for analysis.
Transform data using GREL expressions.
Reconcile data by linking columns to reference datasets.
Export clean datasets to various formats.
CVE ID: CVE-2023-37476
Base Score:7.8 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Demonstration of OpenRefine vulnerability by Sonar
CVE-2023-37476 is a critical Zip Slip vulnerability in the project import feature of OpenRefine versions 3.7.3 and below. The vulnerability allows attackers to execute arbitrary code on the user’s machine by tricking the user into importing a malicious OpenRefine project file. Once imported, the malicious archive can write files outside the intended extraction directory due to lack of path validation. This results in arbitrary file overwrite vulnerabilities. By overwriting sensitive files, attackers could achieve remote code execution. OpenRefine’s auto-reload feature exacerbates the impact, allowing overwritten Java class files to achieve RCE.
The researcher published the findings of the SonarCloud about the flaw here. Read the technical details from the original blog post.
As per the security researcher, OpenRefine versions 3.7.3 and below are affected by CVE-2023-37476.
OpenRefine has addressed this vulnerability by releasing version 3.7.4, which contains the appropriate fix. To protect your OpenRefine installation from the Zip Slip Vulnerability, it is essential to upgrade to version 3.7.4. This version includes a fix that ensures all files are extracted under the intended base folder, utilizing the toPath method to prevent path traversal vulnerabilities. By upgrading to the fixed version, you can mitigate the risk of exploitation and ensure the security of your system.
CVE-2023-37476 is a high-severity arbitrary code execution vulnerability affecting OpenRefine. Although it requires user interaction, users are strongly recommended to upgrade to OpenRefine version 3.7.4 to mitigate this vulnerability. This blog post summarizes the technical details of this vulnerability and provides actionable remediation steps required to fix CVE-2023-37476. For any issues faced during the upgrade, refer to the official OpenRefine documentation.
We hope this post helps you know how to fix CVE-2023-37476, a Zip Slip vulnerability in OpenRefine. Thanks for reading this post. Please share this post and help secure the digital world. Visit our website thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive updates like this.
You may also like these articles:
How To Fix CVE-2022-24348- A Path Traversal Vulnerability In Argo CD
What Is Path Traversal Vulnerability? How To Prevent The Path Traversal Vulnerability?
How To Protect Your Windows Computers From DogWalk Path Traversal Vulnerability?
How To Fix CVE-2022-41352- A Critical RCE Vulnerability In Zimbra Mail Servers
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.