VDB
CVE-2023-37476
CVE-2023-37476
PUBLISHED
CVSS 5.5 MEDIUM
OpenRefine is a free, open source tool for data processing. A carefully crafted malicious OpenRefine project tar file can be used to trigger arbitrary code execution in the context of the OpenRefine process if a user can be convinced to import it. The vulnerability exists in all versions of OpenRefine up to and including 3.7.3. Users should update to OpenRefine 3.7.4 as soon as possible. Users unable to upgrade should only import OpenRefine projects from trusted sources.
EPSS 0.21% · 43.3th percentile
Risk Scores
CVSS 3.1
5.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
EPSS Score
0.21%
43.3th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Maven | org.openrefine:main | 0 |
| OpenRefine | OpenRefine | < 3.7.4 |
| openrefine | openrefine | 0 |
Exploit Intelligence
- https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-m88m-crr9-jvqq (circl)
- https://github.com/OpenRefine/OpenRefine/commit/e9c1e65d58b47aec8cd676bd5c07d97b002f205e (circl)
- https://github.com/OpenRefine/OpenRefine/releases/tag/3.7.4 (circl)
- https://www.sonarsource.com/blog/openrefine-zip-slip (circl)
Timeline
- Jul 17, 2023 CVE Published
- Jul 18, 2023 EPSS Score
- Aug 21, 2023 EPSS Score
- Sep 25, 2023 EPSS Score
- Oct 29, 2023 EPSS Score
- Dec 3, 2023 EPSS Score
- Jan 6, 2024 EPSS Score
- Feb 9, 2024 EPSS Score
- Mar 15, 2024 EPSS Score
- Apr 18, 2024 EPSS Score
- May 22, 2024 EPSS Score
- Jun 26, 2024 EPSS Score
References
- https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-m88m-crr9-jvqq url
- https://github.com/OpenRefine/OpenRefine/commit/e9c1e65d58b47aec8cd676bd5c07d97b002f205e url
- https://github.com/OpenRefine/OpenRefine/releases/tag/3.7.4 url
- https://www.sonarsource.com/blog/openrefine-zip-slip url
- https://nvd.nist.gov/vuln/detail/CVE-2023-37476 advisory
- https://github.com/OpenRefine/OpenRefine package