Bug#1086041: openrefine: CVE-2024-49760 CVE-2024-47882 CVE-2024-47881 CVE-2024-47880 CVE-2024-47879 CVE-2024-47878
Moritz Mühlenhoff
jmm at inutil.org
Fri Oct 25 14:37:38 BST 2024
Source: openrefine
X-Debbugs-CC: team at security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for openrefine.
CVE-2024-49760[0]:
| OpenRefine is a free, open source tool for working with messy data.
| The load-language command expects a `lang` parameter from which it
| constructs the path of the localization file to load, of the form
| `translations-$LANG.json`. But when doing so in versions prior to
| 3.8.3, it does not check that the resulting path is in the expected
| directory, which means that this command could be exploited to read
| other JSON files on the file system. Version 3.8.3 addresses this
| issue.
https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-qfwq-6jh6-8xx4
https://github.com/OpenRefine/OpenRefine/commit/24d084052dc55426fe460f2a17524fd18d28b20c
CVE-2024-47882[1]:
| OpenRefine is a free, open source tool for working with messy data.
| Prior to version 3.8.3, the built-in "Something went wrong!" error
| page includes the exception message and exception traceback without
| escaping HTML tags, enabling injection into the page if an attacker
| can reliably produce an error with an attacker-influenced message.
| It appears that the only way to reach this code in OpenRefine itself
| is for an attacker to somehow convince a victim to import a
| malicious file, which may be difficult. However, out-of-tree
| extensions may add their own calls to `respondWithErrorPage`.
| Version 3.8.3 has a fix for this issue.
https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-j8hp-f2mj-586g
https://github.com/OpenRefine/OpenRefine/commit/85594e75e7b36025f7b6a67dcd3ec253c5dff8c2
CVE-2024-47881[2]:
| OpenRefine is a free, open source tool for working with messy data.
| Starting in version 3.4-beta and prior to version 3.8.3, in the
| `database` extension, the "enable_load_extension" property can be
| set for the SQLite integration, enabling an attacker to load (local
| or remote) extension DLLs and so run arbitrary code on the server.
| The attacker needs to have network access to the OpenRefine
| instance. Version 3.8.3 fixes this issue.
https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-87cf-j763-vvh8
https://github.com/OpenRefine/OpenRefine/commit/853a1d91662e7dc278a9a94a38be58de04494056
CVE-2024-47880[3]:
| OpenRefine is a free, open source tool for working with messy data.
| Prior to version 3.8.3, the `export-rows` command can be used in
| such a way that it reflects part of the request verbatim, with a
| Content-Type header also taken from the request. An attacker could
| lead a user to a malicious page that submits a form POST that
| contains embedded JavaScript code. This code would then be included
| in the response, along with an attacker-controlled `Content-Type`
| header, and so potentially executed in the victim's browser as if it
| was part of OpenRefine. The attacker-provided code can do anything
| the user can do, including deleting projects, retrieving database
| passwords, or executing arbitrary Jython or Closure expressions, if
| those extensions are also present. The attacker must know a valid
| project ID of a project that contains at least one row. Version
| 3.8.3 fixes the issue.
https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-79jv-5226-783f
https://github.com/OpenRefine/OpenRefine/commit/8060477fa53842ebabf43b63e039745932fa629d
CVE-2024-47879[4]:
| OpenRefine is a free, open source tool for working with messy data.
| Prior to version 3.8.3, lack of cross-site request forgery
| protection on the `preview-expression` command means that visiting a
| malicious website could cause an attacker-controlled expression to
| be executed. The expression can contain arbitrary Clojure or Python
| code. The attacker must know a valid project ID of a project that
| contains at least one row, and the attacker must convince the victim
| to open a malicious webpage. Version 3.8.3 fixes the issue.
https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-3jm4-c6qf-jrh3
https://github.com/OpenRefine/OpenRefine/commit/090924ca923489b6c94397cf1f5df7f7f78f0126
CVE-2024-47878[5]:
| OpenRefine is a free, open source tool for working with messy data.
| Prior to version 3.8.3, the `/extension/gdata/authorized` endpoint
| includes the `state` GET parameter verbatim in a `<script>` tag in
| the output, so without escaping. An attacker could lead or redirect
| a user to a crafted URL containing JavaScript code, which would then
| cause that code to be executed in the victim's browser as if it was
| part of OpenRefine. Version 3.8.3 fixes this issue.
https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-pw3x-c5vp-mfc3
https://github.com/OpenRefine/OpenRefine/commit/10bf0874d67f1018a58b3732332d76b840192fea
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-49760
https://www.cve.org/CVERecord?id=CVE-2024-49760
[1] https://security-tracker.debian.org/tracker/CVE-2024-47882
https://www.cve.org/CVERecord?id=CVE-2024-47882
[2] https://security-tracker.debian.org/tracker/CVE-2024-47881
https://www.cve.org/CVERecord?id=CVE-2024-47881
[3] https://security-tracker.debian.org/tracker/CVE-2024-47880
https://www.cve.org/CVERecord?id=CVE-2024-47880
[4] https://security-tracker.debian.org/tracker/CVE-2024-47879
https://www.cve.org/CVERecord?id=CVE-2024-47879
[5] https://security-tracker.debian.org/tracker/CVE-2024-47878
https://www.cve.org/CVERecord?id=CVE-2024-47878
Please adjust the affected versions in the BTS as needed.
More information about the pkg-java-maintainers
mailing list