OpenRefine's Zip Slip Vulnerability Could Let Attackers Execute Malicious Code
Oct 02, 2023
Vulnerability / Cyber Attack
A high-severity security flaw has been disclosed in the open-source OpenRefine data cleanup and transformation tool that could result in arbitrary code execution on affected systems. Tracked as CVE-2023-37476 (CVSS score: 7.8), the vulnerability is a Zip Slip vulnerability that could have adverse impacts when importing a specially crafted project in versions 3.7.3 and below. "Although OpenRefine is designed to only run locally on a user's machine, an attacker can trick a user into importing a malicious project file," Sonar security researcher Stefan Schiller said in a report published last week. "Once this file is imported, the attacker can execute arbitrary code on the user's machine." Software prone to Zip Slip vulnerabilities can pave the way for code execution by taking advantage of a directory traversal bug that an attacker can exploit to gain access to parts of the file system that should be out of reach otherwise. The attack is built on t...
