Security researcher Stefan Schiller from Sonar recently disclosed a critical security vulnerability in OpenRefine that allows unauthenticated attackers to execute arbitrary code on the user’s machine. Sonar published details on this vulnerability on Sep 28, 2023, upon the release of a patch to the flaw. The vulnerability tracked as CVE-2023-37476 has a CVSS score of 7.8, making it high in severity. Sonar shared in its blog that it caught this vulnerability as part of its continued efforts to scan open-source projects for security vulnerabilities using SonarCloud, a free code analysis product for open-source projects.
In this blog post, we covered what this Zip Slip vulnerability is, provided background on OpenRefine, summarized the vulnerability, outlined the affected versions, and, most importantly – explained how to fix CVE-2023-37476, a Zip Slip Vulnerability in OpenRefine. We urge the users of OpenRefine to fix the CVE-2023-37476 vulnerability to avoid potential compromise.
What is a Zip Slip Vulnerability?
A Zip Slip vulnerability stems from inadequate path validation when extracting zip archives. This allows attackers to overwrite existing files or extract files to unintended locations outside of the intended destination folder.
By exploiting a Zip Slip vulnerability, attackers can write files to arbitrary locations on the file system. This can be leveraged to achieve remote code execution by overwriting sensitive files like SSH keys, adding new users, or even creating cron jobs.
A Short Introduction to OpenRefine and Its Key Features
OpenRefine is a popular open-source data cleaning and transformation tool. It provides a web interface to load, clean, transform, and extend datasets. OpenRefine runs as a local web server on the user’s machine. The web interface allows data cleaning operations to be done comfortably through the browser.
Some key features of OpenRefine include:
- Import data from local files, web URLs, databases, etc.
- Identify data types and convert columns into appropriate types like numbers, dates, etc.
- Sort, filter, facet, and cluster data for analysis.
- Transform data using GREL expressions.
- Reconcile data by linking columns to reference datasets.
- Export clean datasets to various formats.
Summary of CVE-2023-37476
- CVE ID: CVE-2023-37476
- Base Score:7.8 HIGH
- Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2023-37476 is a critical Zip Slip vulnerability in the project import feature of OpenRefine versions 3.7.3 and below. The vulnerability allows attackers to execute arbitrary code on the user’s machine by tricking the user into importing a malicious OpenRefine project file. Once imported, the malicious archive can write files outside the intended extraction directory due to lack of path validation. This results in arbitrary file overwrite vulnerabilities. By overwriting sensitive files, attackers could achieve remote code execution. OpenRefine’s auto-reload feature exacerbates the impact, allowing overwritten Java class files to achieve RCE.
OpenRefine Versions Vulnerable to CVE-2023-37476
As per the security researcher, OpenRefine versions 3.7.3 and below are affected by CVE-2023-37476.
How to Fix CVE-2023-37476?
OpenRefine has addressed this vulnerability by releasing version 3.7.4, which contains the appropriate fix. To protect your OpenRefine installation from the Zip Slip Vulnerability, it is essential to upgrade to version 3.7.4. This version includes a fix that ensures all files are extracted under the intended base folder, utilizing the toPath method to prevent path traversal vulnerabilities. By upgrading to the fixed version, you can mitigate the risk of exploitation and ensure the security of your system.
CVE-2023-37476 is a high-severity arbitrary code execution vulnerability affecting OpenRefine. Although it requires user interaction, users are strongly recommended to upgrade to OpenRefine version 3.7.4 to mitigate this vulnerability. This blog post summarizes the technical details of this vulnerability and provides actionable remediation steps required to fix CVE-2023-37476. For any issues faced during the upgrade, refer to the official OpenRefine documentation.