CVE-2023-37476

NameCVE-2023-37476
Description OpenRefine is a free, open source tool for data processing. A carefully crafted malicious OpenRefine project tar file can be used to trigger arbitrary code execution in the context of the OpenRefine process if a user can be convinced to import it. The vulnerability exists in all versions of OpenRefine up to and including 3.7.3. Users should update to OpenRefine 3.7.4 as soon as possible. Users unable to upgrade should only import OpenRefine projects from trusted sources.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1041422

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openrefine (PTS)bookworm3.6.2-2+deb12u2fixed
sid, trixie3.7.8-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
openrefinesourcebookworm3.6.2-2+deb12u1
openrefinesource(unstable)3.6.2-31041422

Notes

https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-m88m-crr9-jvqq
https://github.com/OpenRefine/OpenRefine/commit/e9c1e65d58b47aec8cd676bd5c07d97b002f205e (master)
https://github.com/OpenRefine/OpenRefine/commit/c40c84d8170c4d61c6a0926531b552a50caa5651 (3.7.4)
Search for package or bug name: Reporting problems