CarderPlanet
Professional
One malicious file - and your information is in the hands of intruders.
Recently, a critical vulnerability in the open data cleaning and transformation tool OpenRefine was publicly disclosed. A security flaw can lead to arbitrary code execution on affected systems.
OpenRefine is a free and open source software tool designed for data structuring. The main feature of OpenRefine is the ability to automatically detect and correct errors in data, as well as create consistent data sets.
The vulnerability, identified as CVE-2023-37476 (CVSS 7.8), is a so-called "Zip Slip" vulnerability and can have an adverse impact when importing a specially created project in OpenRefine versions 3.7.3 and later.
"Although OpenRefine is only intended to run locally on the user's computer, attackers can trick the user into importing a malicious project file," said Stefan Schiller, a security researcher at SonarSource. After importing this file, hackers will be able to execute arbitrary code on the user's machine.
Software exposed to Zip Slip vulnerabilities can pave the way for code execution by exploiting a directory traversal error, which attackers can then use to gain access to parts of the file system that should otherwise be inaccessible.
The essence of the attack is that the extracted code does not pass proper verification, which can allow overwriting files or decompressing them to unintended locations.
The vulnerability described in OpenRefine works using the "untar" method and allows you to write files outside the target folder by creating an archive with the file name " .. / ../../../tmp/pwned."
It was also noted that the vulnerability can be used to add a new user to the "passwd" file, add an SSH key, create a "cron" task, and much more.
After a responsible disclosure on July 7, 2023, the vulnerability was fixed in version 3.7.4, released on July 17, 2023. It is noteworthy that the disclosure of the vulnerability in OpenRefine occurred almost simultaneously with the appearance of the PoC code for a pair of already fixed vulnerabilities in Microsoft SharePoint and a dangerous bug in Apache NiFi, which allows remote code execution through malicious H2 database connection strings.
Users of such software are encouraged to conduct regular security audits, update the software in a timely manner, and fix any identified vulnerabilities.
Recently, a critical vulnerability in the open data cleaning and transformation tool OpenRefine was publicly disclosed. A security flaw can lead to arbitrary code execution on affected systems.
OpenRefine is a free and open source software tool designed for data structuring. The main feature of OpenRefine is the ability to automatically detect and correct errors in data, as well as create consistent data sets.
The vulnerability, identified as CVE-2023-37476 (CVSS 7.8), is a so-called "Zip Slip" vulnerability and can have an adverse impact when importing a specially created project in OpenRefine versions 3.7.3 and later.
"Although OpenRefine is only intended to run locally on the user's computer, attackers can trick the user into importing a malicious project file," said Stefan Schiller, a security researcher at SonarSource. After importing this file, hackers will be able to execute arbitrary code on the user's machine.
Software exposed to Zip Slip vulnerabilities can pave the way for code execution by exploiting a directory traversal error, which attackers can then use to gain access to parts of the file system that should otherwise be inaccessible.
The essence of the attack is that the extracted code does not pass proper verification, which can allow overwriting files or decompressing them to unintended locations.
The vulnerability described in OpenRefine works using the "untar" method and allows you to write files outside the target folder by creating an archive with the file name " .. / ../../../tmp/pwned."
It was also noted that the vulnerability can be used to add a new user to the "passwd" file, add an SSH key, create a "cron" task, and much more.
After a responsible disclosure on July 7, 2023, the vulnerability was fixed in version 3.7.4, released on July 17, 2023. It is noteworthy that the disclosure of the vulnerability in OpenRefine occurred almost simultaneously with the appearance of the PoC code for a pair of already fixed vulnerabilities in Microsoft SharePoint and a dangerous bug in Apache NiFi, which allows remote code execution through malicious H2 database connection strings.
Users of such software are encouraged to conduct regular security audits, update the software in a timely manner, and fix any identified vulnerabilities.
