ghsa-j8hp-f2mj-586g
Vulnerability from github
Published
2024-10-24 18:13
Modified
2024-10-24 21:46
Severity ?
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N
Summary
OpenRefine's error page lacks escaping, leading to potential Cross-site Scripting on import of malicious project
Details

Summary

The built-in "Something went wrong!" error page includes the exception message and exception traceback without escaping HTML tags, enabling injection into the page if an attacker can reliably produce an error with an attacker-influenced message.

It appears that the only way to reach this code in OpenRefine itself is for an attacker to somehow convince a victim to import a malicious file, as in GHSA-m88m-crr9-jvqq, which may be difficult. However, out-of-tree extensions may add their own calls to respondWithErrorPage.

Details

The Command.respondWithErrorPage (through HttpUtilities.respondWithErrorPage) function renders the Velocity template error.vt, which contains the $message and $stack variables, which are included in the response as-is:

https://github.com/OpenRefine/OpenRefine/blob/master/main/webapp/modules/core/error.vt#L52-L53

However, the message can contain HTML tags, which would then be interpreted by the browser. A mitigation would be to escape both the message and stack trace, perhaps using Guava's HTML escaper.

Flows that report errors as application/json responses are not interpreted by the browser and so not affected by this issue.

PoC

In OpenRefine, use the "Import project" feature to import the following URL (or upload it as a file): https://wandernauta.nl/oa/example.tar.gz

A JavaScript alert appears.

Impact

Execution of arbitrary JavaScript in the victim's browser, provided the victim can be convinced to import a malicious project. The script can do anything the user can do.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.openrefine:openrefine"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.8.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-47882"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79",
      "CWE-81"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-24T18:13:04Z",
    "nvd_published_at": "2024-10-24T21:15:13Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nThe built-in \"Something went wrong!\" error page includes the exception message and exception traceback without escaping HTML tags, enabling injection into the page if an attacker can reliably produce an error with an attacker-influenced message.\n\nIt appears that the only way to reach this code in OpenRefine itself is for an attacker to somehow convince a victim to import a malicious file, as in GHSA-m88m-crr9-jvqq, which may be difficult.  However, out-of-tree extensions may add their own calls to `respondWithErrorPage`.\n\n### Details\n\nThe `Command.respondWithErrorPage` (through `HttpUtilities.respondWithErrorPage`) function renders the Velocity template `error.vt`, which contains the `$message` and `$stack` variables, which are included in the response as-is:\n\nhttps://github.com/OpenRefine/OpenRefine/blob/master/main/webapp/modules/core/error.vt#L52-L53\n\nHowever, the message can contain HTML tags, which would then be interpreted by the browser. A mitigation would be to escape both the message and stack trace, perhaps using Guava\u0027s HTML escaper.\n\nFlows that report errors as `application/json` responses are not interpreted by the browser and so not affected by this issue.\n\n### PoC\n\nIn OpenRefine, use the \"Import project\" feature to import the following URL (or upload it as a file): https://wandernauta.nl/oa/example.tar.gz\n\nA JavaScript alert appears.\n\n### Impact\n\nExecution of arbitrary JavaScript in the victim\u0027s browser, provided the victim can be convinced to import a malicious project. The script can do anything the user can do.",
  "id": "GHSA-j8hp-f2mj-586g",
  "modified": "2024-10-24T21:46:03Z",
  "published": "2024-10-24T18:13:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-j8hp-f2mj-586g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47882"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OpenRefine/OpenRefine/commit/85594e75e7b36025f7b6a67dcd3ec253c5dff8c2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/OpenRefine/OpenRefine"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OpenRefine/OpenRefine/blob/master/main/webapp/modules/core/error.vt#L52-L53"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenRefine\u0027s error page lacks escaping, leading to potential Cross-site Scripting on import of malicious project"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.