VYPR
← All advisories
Moderate severityNVD Advisory· Published Dec 5, 2018· Updated Aug 5, 2024

CVE-2018-19859

CVE-2018-19859

Description

OpenRefine before 3.2 beta allows directory traversal via a relative pathname in a ZIP archive.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

OpenRefine before 3.2 beta allows directory traversal via a relative pathname in a ZIP archive, enabling arbitrary file write outside the temporary directory.

Vulnerability

OpenRefine before version 3.2 beta contains a directory traversal vulnerability in the handling of ZIP archives during project import. When a user imports a ZIP file containing entries with relative pathnames (e.g., ../../../../../../../../tmp/dangerousscript.sh), the application extracts files to a temporary directory without sanitizing the paths, allowing files to be written outside the intended extraction directory. This affects all versions prior to 3.2 beta, including 3.0 [TRUNK] and 3.1-beta [TRUNK] [2].

Exploitation

An attacker can exploit this vulnerability by crafting a ZIP file with entries containing relative path components. The attacker must then convince a user to import this ZIP file via the "Create Project" interface, either by uploading the file directly or by providing a URL to the compressed archive. No authentication is required beyond normal user interaction. Steps include creating a malicious ZIP with a file path like ../../../../../../../../tmp/evil.sh and hosting it; upon import, OpenRefine extracts the file to the attacker-specified location without warning [2].

Impact

Successful exploitation allows an attacker to write arbitrary files to arbitrary locations on the filesystem with the privileges of the OpenRefine process. This can be leveraged to create or overwrite scripts, configuration files, or other executables that may be executed during system startup or by other applications, potentially leading to remote code execution or privilege escalation [2].

Mitigation

The vulnerability is fixed in OpenRefine 3.2 beta, as implemented in pull request #1901 [1]. Users should upgrade to version 3.2 beta or later. As of the publication date (December 2018), no workaround exists other than avoiding ZIP imports from untrusted sources. The project does not list this CVE in the KEV catalog.

References
  1. Fix zip slip vulnerability by wetneb · Pull Request #1901 · OpenRefine/OpenRefine
  2. Directory traversal (unsafe unzip) vulnerability

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.openrefine:mainMaven
< 3.2-beta3.2-beta

Affected products

1

Patches

1
e243e73e4064

Fix zip slip vulnerability. Closes #1840.

https://github.com/OpenRefine/OpenRefineAntonin DelpeuchDec 9, 2018via ghsa
commit
2 files changed · +11 1
  • main/src/com/google/refine/importing/ImportingUtilities.java+5 1 modified
    @@ -440,7 +440,11 @@ static public File allocateFile(File dir, String name) {
             name = name.substring(0, q);
         }
         
-        File file = new File(dir, name);
+        File file = new File(dir, name);     
+        // For CVE-2018-19859, issue #1840
+        if (!file.toPath().normalize().startsWith(dir.toPath().normalize())) {
+        	throw new IllegalArgumentException("Zip archives with files escaping their root directory are not allowed.");
+        }
         
         int dot = name.indexOf('.');
         String prefix = dot < 0 ? name : name.substring(0, dot);
  • main/tests/server/src/com/google/refine/tests/importing/ImportingUtilitiesTests.java+6 0 modified
    @@ -36,6 +36,12 @@ public void createProjectMetadataTest()
         Assert.assertTrue(pm.getTags().length == 0);
     }
     
+    @Test(expectedExceptions=IllegalArgumentException.class)
+    public void testZipSlip() {
+        // For CVE-2018-19859, issue #1840
+    	ImportingUtilities.allocateFile(workspaceDir, "../../script.sh");
+    }
+    
     private ObjectNode getNestedOptions(ImportingJob job, TreeImportingParserBase parser) {
         ObjectNode options = parser.createParserUIInitializationData(
                 job, new LinkedList<>(), "text/json");

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.