A critical Zip Slip vulnerability was discovered in the open-source data cleaning and transformation tool ‘OpenRefine’, which allowed attackers to import malicious code and execute arbitrary code.
OpenRefine is a strong Java-based, free, open-source tool for handling messy data. This includes cleaning it, converting it into a different format, and expanding it with web services and external data.
According to SonarCloud, the Zip Slip vulnerability in OpenRefine allows attackers to overwrite existing files or the extraction of contents to unexpected locations. This vulnerability is caused by insufficient path validation while extracting archives.
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
The project import feature of OpenRefine versions 3.7.3 and earlier is vulnerable to a Zip Slip vulnerability (CVE-2023-37476) with a CVSS score of 7.8.
Although OpenRefine is only intended to execute locally on a user’s computer, a user can be tricked into importing a malicious project file. Once this file is imported, the attacker will be able to run arbitrary code on the victim’s computer.
“The vulnerability gives attackers a strong primitive: writing files with arbitrary content to an arbitrary location on the filesystem. For applications running with root privileges, there are dozens of possibilities to turn this into arbitrary code execution on the operating system: adding a new user to the passwd file, adding an SSH key, creating a cron job, and more”, researchers said.
OpenRefine Version 3.7.4, published on July 17, 2023, has a fix for the issue.
In light of this, Users are recommended to update to OpenRefine 3.7.4 as soon as feasible.
Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.
A new malware variant called Nunu Stealer is making headlines after being advertised on underground hacker forums…
A critical vulnerability has been identified in Siemens' User Management Component (UMC), which could allow…
Foxit Software has issued critical security updates for its widely used PDF solutions, Foxit PDF…
Microsoft has swiftly addressed a critical security vulnerability affecting Windows 11 (version 23H2), which could…
A Romanian man has been sentenced to 20 years in prison for his involvement in…
The Cybersecurity and Infrastructure Security Agency (CISA) has sounded the alarm over a critical vulnerability…