Bug#1041422: openrefine: CVE-2023-37476
Moritz Mühlenhoff
jmm at inutil.org
Tue Jul 18 19:38:12 BST 2023
Source: openrefine
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for openrefine.
CVE-2023-37476[0]:
| OpenRefine is a free, open source tool for data processing. A
| carefully crafted malicious OpenRefine project tar file can be used
| to trigger arbitrary code execution in the context of the OpenRefine
| process if a user can be convinced to import it. The vulnerability
| exists in all versions of OpenRefine up to and including 3.7.3.
| Users should update to OpenRefine 3.7.4 as soon as possible. Users
| unable to upgrade should only import OpenRefine projects from
| trusted sources.
https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-m88m-crr9-jvqq
https://github.com/OpenRefine/OpenRefine/commit/e9c1e65d58b47aec8cd676bd5c07d97b002f205e
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-37476
https://www.cve.org/CVERecord?id=CVE-2023-37476
Please adjust the affected versions in the BTS as needed.
More information about the pkg-java-maintainers
mailing list