Advisory Database
  • Advisories
  • Dependency Scanning
  1. maven
  2. ›
  3. org.openrefine/main
  4. ›
  5. CVE-2023-37476

CVE-2023-37476: OpenRefine vulnerable to zip slip in project import

July 18, 2023 (updated June 10, 2025)

A carefully crafted malicious OpenRefine project tar file can be used to trigger arbitrary code execution if a user can be convinced to import it.

References

  • github.com/OpenRefine/OpenRefine
  • github.com/OpenRefine/OpenRefine/commit/e9c1e65d58b47aec8cd676bd5c07d97b002f205e
  • github.com/OpenRefine/OpenRefine/releases/tag/3.7.4
  • github.com/OpenRefine/OpenRefine/security/advisories/GHSA-m88m-crr9-jvqq
  • github.com/advisories/GHSA-m88m-crr9-jvqq
  • nvd.nist.gov/vuln/detail/CVE-2023-37476
  • www.sonarsource.com/blog/openrefine-zip-slip

Code Behaviors & Features

Detect and mitigate CVE-2023-37476 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions before 3.7.4

Fixed versions

  • 3.7.4

Solution

Upgrade to version 3.7.4 or above.

Impact 7.8 HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Learn more about CVSS

Weakness

  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Source file

maven/org.openrefine/main/CVE-2023-37476.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Sat, 23 Aug 2025 00:18:45 +0000.