A large-severity security flaw has been disclosed in the open up-resource OpenRefine facts cleanup and transformation resource that could final result in arbitrary code execution on impacted units.
Tracked as CVE-2023-37476 (CVSS score: 7.8), the vulnerability is a Zip Slip vulnerability that could have adverse impacts when importing a specifically crafted challenge in variations 3.7.3 and below.
“Though OpenRefine is built to only operate regionally on a user’s device, an attacker can trick a person into importing a destructive task file,” Sonar security researcher Stefan Schiller mentioned in a report published final week. “When this file is imported, the attacker can execute arbitrary code on the user’s machine.”
Application susceptible to Zip Slip vulnerabilities can pave the way for code execution by taking gain of a listing traversal bug that an attacker can exploit to acquire entry to sections of the file procedure that should really be out of arrive at or else.
The attack is crafted on two relocating areas: a destructive archive and extraction code that does not carry out sufficient validation examining, which can make it possible for for overwriting information or unpacking them to unintended locations.
The extracted data files can either be invoked remotely by the adversary or by the procedure (or consumer), ensuing in command execution on the victim’s device.
The vulnerability identified in OpenRefine is together comparable traces in that the “untar” process for extracting the data files from the archive allows a lousy actor to publish files exterior the desired destination folder by generating an archive with a file named “../../../../tmp/pwned.”
Subsequent responsible disclosure on July 7, 2023, the vulnerability has been patched in edition 3.7.4 introduced on July 17, 2023.
“The vulnerability provides attackers a sturdy primitive: crafting information with arbitrary written content to an arbitrary place on the filesystem,” Schiller claimed.
“For purposes working with root privileges, there are dozens of options to change this into arbitrary code execution on the functioning process: including a new user to the passwd file, including an SSH key, developing a cron job, and more.”
The disclosure arrives as proof-of-principle (PoC) exploit code has surfaced for a pair of now-patched flaws in Microsoft SharePoint Server – CVE-2023-29357 (CVSS score: 9.8) and CVE-2023-24955 (CVSS score: 7.2) – that could be chained to reach privilege escalation and remote code execution.
It also follows an inform from Cyfirma warning of a higher-severity bug in Apache NiFi (CVE-2023-34468, CVSS score: 8.8) that allows remote code execution via malicious H2 databases link strings. It has been fixed in Apache NiFi 1.22..
“The effects of this vulnerability is severe, as it grants attackers the capacity to achieve unauthorized entry to methods, exfiltrate delicate data, and execute malicious code remotely,” the cybersecurity agency reported. “An attacker could exploit this flaw to compromise knowledge integrity, disrupt functions, and probably result in economical and reputational problems.”
Observed this article exciting? Abide by us on Twitter and LinkedIn to study a lot more special material we put up.
Some parts of this post are sourced from: