CVE-2023-37476: OpenRefine vulnerable to zip slip in project import
(updated )
A carefully crafted malicious OpenRefine project tar file can be used to trigger arbitrary code execution if a user can be convinced to import it.
References
- github.com/OpenRefine/OpenRefine
- github.com/OpenRefine/OpenRefine/commit/e9c1e65d58b47aec8cd676bd5c07d97b002f205e
- github.com/OpenRefine/OpenRefine/releases/tag/3.7.4
- github.com/OpenRefine/OpenRefine/security/advisories/GHSA-m88m-crr9-jvqq
- github.com/advisories/GHSA-m88m-crr9-jvqq
- nvd.nist.gov/vuln/detail/CVE-2023-37476
- www.sonarsource.com/blog/openrefine-zip-slip
Code Behaviors & Features
Detect and mitigate CVE-2023-37476 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →