Source: openrefine X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerabilities were published for openrefine. CVE-2024-49760[0]: | OpenRefine is a free, open source tool for working with messy data. | The load-language command expects a `lang` parameter from which it | constructs the path of the localization file to load, of the form | `translations-$LANG.json`. But when doing so in versions prior to | 3.8.3, it does not check that the resulting path is in the expected | directory, which means that this command could be exploited to read | other JSON files on the file system. Version 3.8.3 addresses this | issue. https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-qfwq-6jh6-8xx4 https://github.com/OpenRefine/OpenRefine/commit/24d084052dc55426fe460f2a17524fd18d28b20c CVE-2024-47882[1]: | OpenRefine is a free, open source tool for working with messy data. | Prior to version 3.8.3, the built-in "Something went wrong!" error | page includes the exception message and exception traceback without | escaping HTML tags, enabling injection into the page if an attacker | can reliably produce an error with an attacker-influenced message. | It appears that the only way to reach this code in OpenRefine itself | is for an attacker to somehow convince a victim to import a | malicious file, which may be difficult. However, out-of-tree | extensions may add their own calls to `respondWithErrorPage`. | Version 3.8.3 has a fix for this issue. https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-j8hp-f2mj-586g https://github.com/OpenRefine/OpenRefine/commit/85594e75e7b36025f7b6a67dcd3ec253c5dff8c2 CVE-2024-47881[2]: | OpenRefine is a free, open source tool for working with messy data. | Starting in version 3.4-beta and prior to version 3.8.3, in the | `database` extension, the "enable_load_extension" property can be | set for the SQLite integration, enabling an attacker to load (local | or remote) extension DLLs and so run arbitrary code on the server. | The attacker needs to have network access to the OpenRefine | instance. Version 3.8.3 fixes this issue. https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-87cf-j763-vvh8 https://github.com/OpenRefine/OpenRefine/commit/853a1d91662e7dc278a9a94a38be58de04494056 CVE-2024-47880[3]: | OpenRefine is a free, open source tool for working with messy data. | Prior to version 3.8.3, the `export-rows` command can be used in | such a way that it reflects part of the request verbatim, with a | Content-Type header also taken from the request. An attacker could | lead a user to a malicious page that submits a form POST that | contains embedded JavaScript code. This code would then be included | in the response, along with an attacker-controlled `Content-Type` | header, and so potentially executed in the victim's browser as if it | was part of OpenRefine. The attacker-provided code can do anything | the user can do, including deleting projects, retrieving database | passwords, or executing arbitrary Jython or Closure expressions, if | those extensions are also present. The attacker must know a valid | project ID of a project that contains at least one row. Version | 3.8.3 fixes the issue. https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-79jv-5226-783f https://github.com/OpenRefine/OpenRefine/commit/8060477fa53842ebabf43b63e039745932fa629d CVE-2024-47879[4]: | OpenRefine is a free, open source tool for working with messy data. | Prior to version 3.8.3, lack of cross-site request forgery | protection on the `preview-expression` command means that visiting a | malicious website could cause an attacker-controlled expression to | be executed. The expression can contain arbitrary Clojure or Python | code. The attacker must know a valid project ID of a project that | contains at least one row, and the attacker must convince the victim | to open a malicious webpage. Version 3.8.3 fixes the issue. https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-3jm4-c6qf-jrh3 https://github.com/OpenRefine/OpenRefine/commit/090924ca923489b6c94397cf1f5df7f7f78f0126 CVE-2024-47878[5]: | OpenRefine is a free, open source tool for working with messy data. | Prior to version 3.8.3, the `/extension/gdata/authorized` endpoint | includes the `state` GET parameter verbatim in a `<script>` tag in | the output, so without escaping. An attacker could lead or redirect | a user to a crafted URL containing JavaScript code, which would then | cause that code to be executed in the victim's browser as if it was | part of OpenRefine. Version 3.8.3 fixes this issue. https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-pw3x-c5vp-mfc3 https://github.com/OpenRefine/OpenRefine/commit/10bf0874d67f1018a58b3732332d76b840192fea If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-49760 https://www.cve.org/CVERecord?id=CVE-2024-49760 [1] https://security-tracker.debian.org/tracker/CVE-2024-47882 https://www.cve.org/CVERecord?id=CVE-2024-47882 [2] https://security-tracker.debian.org/tracker/CVE-2024-47881 https://www.cve.org/CVERecord?id=CVE-2024-47881 [3] https://security-tracker.debian.org/tracker/CVE-2024-47880 https://www.cve.org/CVERecord?id=CVE-2024-47880 [4] https://security-tracker.debian.org/tracker/CVE-2024-47879 https://www.cve.org/CVERecord?id=CVE-2024-47879 [5] https://security-tracker.debian.org/tracker/CVE-2024-47878 https://www.cve.org/CVERecord?id=CVE-2024-47878 Please adjust the affected versions in the BTS as needed.
