org.openrefine:main 3.7-beta2 vulnerabilities

Known vulnerabilities in the org.openrefine:main package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
H Directory Traversal Affected versions of this package are vulnerable to Directory Traversal via the `LoadLanguageCommand` component due to improper sanitization of the `strLang` parameter. An attacker can read arbitrary JSON files on the system by manipulating the `strLang` parameter to construct a path outside of the intended directory. How to fix Directory Traversal? Upgrade `org.openrefine:main` to version 3.8.3 or higher.	[,3.8.3)
M Cross-site Scripting (XSS) Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `ExportRowsCommand` component due to improper sanitization of the `Content-Type` header. An attacker can execute arbitrary JavaScript in the user's browser by leading a user to a malicious page that submits a form POST containing embedded JavaScript. Note: This is only exploitable if the attacker knows a valid project ID of a project that contains at least one row. How to fix Cross-site Scripting (XSS)? Upgrade `org.openrefine:main` to version 3.8.3 or higher.	[,3.8.3)
M Cross-site Request Forgery (CSRF) Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) through the `PreviewExpressionCommand` process due to missing validation of the CSRF token. An attacker can exploit this vulnerability by convincing a user to visit a malicious website and interact with a crafted page that submits a POST request without the user's consent. Note: This is only exploitable if the attacker knows a valid project ID and the project contains at least one row. How to fix Cross-site Request Forgery (CSRF)? Upgrade `org.openrefine:main` to version 3.8.3 or higher.	[,3.8.3)
M Arbitrary File Write via Archive Extraction (Zip Slip) Affected versions of this package are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) via project import, when a carefully crafted malicious OpenRefine project tar file can be used to trigger arbitrary code execution if a user can be convinced to import it. How to fix Arbitrary File Write via Archive Extraction (Zip Slip)? Upgrade `org.openrefine:main` to version 3.7.4 or higher.	[,3.7.4)

Vulnerability

Vulnerable Version

Directory Traversal

Affected versions of this package are vulnerable to Directory Traversal via the LoadLanguageCommand component due to improper sanitization of the strLang parameter. An attacker can read arbitrary JSON files on the system by manipulating the strLang parameter to construct a path outside of the intended directory.

How to fix Directory Traversal?

Upgrade org.openrefine:main to version 3.8.3 or higher.

[,3.8.3)

Cross-site Scripting (XSS)

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the ExportRowsCommand component due to improper sanitization of the Content-Type header. An attacker can execute arbitrary JavaScript in the user's browser by leading a user to a malicious page that submits a form POST containing embedded JavaScript.

Note:

This is only exploitable if the attacker knows a valid project ID of a project that contains at least one row.

How to fix Cross-site Scripting (XSS)?

Upgrade org.openrefine:main to version 3.8.3 or higher.

[,3.8.3)

Cross-site Request Forgery (CSRF)

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) through the PreviewExpressionCommand process due to missing validation of the CSRF token. An attacker can exploit this vulnerability by convincing a user to visit a malicious website and interact with a crafted page that submits a POST request without the user's consent.

Note: This is only exploitable if the attacker knows a valid project ID and the project contains at least one row.

How to fix Cross-site Request Forgery (CSRF)?

Upgrade org.openrefine:main to version 3.8.3 or higher.

[,3.8.3)

Arbitrary File Write via Archive Extraction (Zip Slip)

Affected versions of this package are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) via project import, when a carefully crafted malicious OpenRefine project tar file can be used to trigger arbitrary code execution if a user can be convinced to import it.

How to fix Arbitrary File Write via Archive Extraction (Zip Slip)?

Upgrade org.openrefine:main to version 3.7.4 or higher.

[,3.7.4)

org.openrefine:main@3.7-beta2 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?