OpenRefine’s Zip Slip Vulnerability Could Let Attackers Execute Malicious Code

A high-severity security flaw has been disclosed throughout the open-source OpenRefine data cleanup and transformation gadget that will result in arbitrary code execution on affected methods.

Tracked as CVE-2023-37476 (CVSS score: 7.8), the vulnerability is a Zip Slip vulnerability that will have opposed impacts when importing a particularly crafted mission in variations 3.7.3 and beneath.

“Although OpenRefine is designed to solely run domestically on an individual’s machine, an attacker can trick an individual into importing a malicious mission file,” Sonar security researcher Stefan Schiller said in a report revealed remaining week. “As quickly as this file is imported, the attacker can execute arbitrary code on the individual’s machine.”

Software program program prone to Zip Slip vulnerabilities can pave one of the best ways for code execution by benefiting from an inventory traversal bug that an attacker can exploit to understand entry to parts of the file system that should be out of attain in some other case.

The assault is constructed on two transferring parts: a malicious archive and extraction code that doesn’t perform sufficient validation checking, which can allow for overwriting data or unpacking them to unintended areas.

The extracted data can each be invoked remotely by the adversary or by the system (or individual), resulting in command execution on the sufferer’s machine.

The vulnerability acknowledged in OpenRefine is alongside associated strains in that the “untar” method for extracting the data from the archive permits a foul actor to put in writing down data outside the holiday spot folder by creating an archive with a file named “../../../../tmp/pwned.”

Following accountable disclosure on July 7, 2023, the vulnerability has been patched in version 3.7.4 launched on July 17, 2023.

“The vulnerability presents attackers a sturdy primitive: writing data with arbitrary content material materials to an arbitrary location on the filesystem,” Schiller said.

“For capabilities working with root privileges, there are dozens of prospects to indicate this into arbitrary code execution on the working system: together with a model new individual to the passwd file, together with an SSH key, making a cron job, and additional.”

The disclosure comes as proof-of-concept (PoC) exploit code has surfaced for a pair of now-patched flaws in Microsoft SharePoint Server – CVE-2023-29357 (CVSS score: 9.8) and CVE-2023-24955 (CVSS score: 7.2) – that will very properly be chained to understand privilege escalation and distant code execution.

It moreover follows an alert from Cyfirma warning of a high-severity bug in Apache NiFi (CVE-2023-34468, CVSS score: 8.8) that allows remote code execution by malicious H2 database connection strings. It has been resolved in Apache NiFi 1.22.0.

“The have an effect on of this vulnerability is excessive, as a result of it grants attackers the pliability to understand unauthorized entry to methods, exfiltrate delicate data, and execute malicious code remotely,” the cybersecurity company said. “An attacker may exploit this flaw to compromise data integrity, disrupt operations, and possibly set off financial and reputational damage.”