A high-severity security flaw has been disclosed in the open-source OpenRefine data cleanup and transformation tool that could result in arbitrary code execution on affected systems.
Tracked as CVE-2023-37476 (CVSS score: 7.8), the vulnerability is a zip slip vulnerability that can have adverse effects when importing a specially crafted project in versions 3.7.3 and below .
“Although OpenRefine is designed to run only locally on the user’s machine, an attacker could trick the user into importing a malicious project file,” Sonar security researcher Stefan Schiller said in a report published last week. “Once this file is imported, the attacker can execute arbitrary code on the user’s machine.”
Software suffering from a Zip Slip vulnerability can take advantage of the directory traversal bug to pave the way for code execution that the attacker can use to gain access to parts of the file system that should not otherwise be accessible.
The attack is built on two dynamic parts: a malicious archive and extraction code that does not perform adequate validation checks, which can allow files to be overwritten or unpacked in unexpected locations.
The extracted files can be applied either by the adversary or remotely by the system (or user), resulting in command execution on the victim’s machine.
The vulnerability identified in OpenRefine is similar in that the “untar” method to extract files from an archive would enable a bad actor to write files outside the destination folder by creating an archive with a file named “../../../../tmp/pwned.”
The vulnerability has been fixed in version 3.7.4, released on July 17, 2023, following a responsible disclosure on July 7, 2023.
“This vulnerability provides attackers with a strong primitive: writing files with arbitrary content to an arbitrary location on the file system,” Schiller said.
“For applications running with root privileges, there are dozens of possibilities to change it from executing arbitrary code on the operating system: adding a new user to the passwd file, adding an SSH key, creating a cron job, and more.”
The disclosure comes as proof-of-concept (PoC) exploit code has surfaced for a pair of now-patched flaws in Microsoft SharePoint Server – CVE-2023-29357 (CVSS score: 9.8) and CVE-2023-24955 (CVSS score: 7.2) – that could be chained to achieve privilege escalation and remote code execution.
It also follows Cyfirma warning of a high-severity bug in Apache NiFi (CVE-2023-34468, CVSS score: 8.8) that allows remote code execution via malicious H2 database connection strings. This has been resolved in Apache NiFi 1.22.0.
“The impact of this vulnerability is severe, as it provides attackers with the ability to gain unauthorized access to systems, exfiltrate sensitive data, and remotely execute malicious code,” the cybersecurity firm said. “An attacker could exploit this flaw to compromise data integrity, disrupt operations, and potentially cause financial and reputational damage.”