A high-severity security flaw has been disclosed within the open-source OpenRefine information cleanup and transformation software that would end in arbitrary code execution on affected programs.
Tracked as CVE-2023-37476 (CVSS rating: 7.8), the vulnerability is a Zip Slip vulnerability that would have opposed impacts when importing a specifically crafted mission in variations 3.7.3 and under.
“Though OpenRefine is designed to solely run regionally on a consumer’s machine, an attacker can trick a consumer into importing a malicious mission file,” Sonar security researcher Stefan Schiller mentioned in a report revealed final week. “As soon as this file is imported, the attacker can execute arbitrary code on the consumer’s machine.”
Software program liable to Zip Slip vulnerabilities can pave the way in which for code execution by making the most of a listing traversal bug that an attacker can exploit to achieve entry to elements of the file system that needs to be out of attain in any other case.
The assault is constructed on two shifting elements: a malicious archive and extraction code that doesn’t carry out sufficient validation checking, which might enable for overwriting recordsdata or unpacking them to unintended places.
The extracted recordsdata can both be invoked remotely by the adversary or by the system (or consumer), leading to command execution on the sufferer’s machine.
The vulnerability recognized in OpenRefine is alongside comparable traces in that the “untar” technique for extracting the recordsdata from the archive allows a nasty actor to write down recordsdata exterior the vacation spot folder by creating an archive with a file named “../../../../tmp/pwned.”
Following accountable disclosure on July 7, 2023, the vulnerability has been patched in model 3.7.4 launched on July 17, 2023.
“The vulnerability provides attackers a robust primitive: writing recordsdata with arbitrary content material to an arbitrary location on the filesystem,” Schiller mentioned.
“For functions working with root privileges, there are dozens of prospects to show this into arbitrary code execution on the working system: including a brand new consumer to the passwd file, including an SSH key, making a cron job, and extra.”
The disclosure comes as proof-of-concept (PoC) exploit code has surfaced for a pair of now-patched flaws in Microsoft SharePoint Server – CVE-2023-29357 (CVSS rating: 9.8) and CVE-2023-24955 (CVSS rating: 7.2) – that could possibly be chained to realize privilege escalation and distant code execution.
It additionally follows an alert from Cyfirma warning of a high-severity bug in Apache NiFi (CVE-2023-34468, CVSS rating: 8.8) that enables distant code execution by way of malicious H2 database connection strings. It has been resolved in Apache NiFi 1.22.0.
“The impression of this vulnerability is extreme, because it grants attackers the power to achieve unauthorized entry to programs, exfiltrate delicate information, and execute malicious code remotely,” the cybersecurity agency mentioned. “An attacker may exploit this flaw to compromise information integrity, disrupt operations, and probably trigger monetary and reputational harm.”
