OpenRefine <= v3.5.2 SSRF

OpenRefine v<=3.5.2 contains a Server-Side Request Forgery (SSRF) vulnerability, which permits unauthorized users to exploit the system, potentially leading to unauthorized access to internal resources and sensitive file disclosure.

The root cause of this vulnerability lies in OpenRefine's inadequate server-side validation of the supplied URL. While client-side validation exists, the server-side fails to perform the same level of scrutiny. Consequently, if a user initially provides a valid URI and then later substitutes it with a malicious one, the server-side system fails to detect the alteration.

PoC

This vulnerability can be leveraged during the process of creating a new project in OpenRefine. Specifically, by selecting the option to import a project from Web Addresses URLs, a malicious actor can insert a payload that enables them to access internal resources or read sensitive files.

Disclosure Timeline

• Date of Discovery: 10/04/2022
• Reported to OpenRefine Security Team: 15/04/2022
• OpenRefine Team Acknowledgment: 23/05/2022
• Security Path Release: 07/07/2022