Advisories for Maven/Org.openrefine/Main package

2024

OpenRefine's PreviewExpressionCommand, which is eval, lacks protection against cross-site request forgery (CSRF)

Lack of CSRF protection on the preview-expression command means that visiting a malicious website could cause an attacker-controlled expression to be executed. The expression can contain arbitrary Clojure or Python code. The attacker must know a valid project ID of a project that contains at least one row.

2023

Server-Side Request Forgery (SSRF)

OpenRefine <= v3.5.2 contains a Server-Side Request Forgery (SSRF) vulnerability, which permits unauthorized users to exploit the system, potentially leading to unauthorized access to internal resources and sensitive file disclosure.

OpenRefine vulnerable to zip slip in project import

A carefully crafted malicious OpenRefine project tar file can be used to trigger arbitrary code execution if a user can be convinced to import it.

2022

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

OpenRefine before 3.2 beta allows directory traversal via a relative pathname in a ZIP archive.