GHSA-3PG4-QWC8-426R
Vulnerability from github – Published: 2024-10-24 18:30 – Updated: 2024-10-24 18:30Impact
OpenRefine releases contain Google API authentication keys ("client id" and "client secret") which can be extracted from released artifacts. For instance, download the package for OpenRefine 3.8.2 on linux. It contains the file openrefine-3.8.2/webapp/extensions/gdata/module/MOD-INF/lib/openrefine-gdata.jar, which can be extracted.
This archive then contains the file com/google/refine/extension/gdata/GoogleAPIExtension.java, which contains the following lines:
// For a production release, the second parameter (default value) can be set
// for the following three properties (client_id, client_secret, and API key) to
// the production values from the Google API console
private static final String CLIENT_ID = System.getProperty("ext.gdata.clientid", new String(Base64.getDecoder().decode("ODk1NTU1ODQzNjMwLWhkZWwyN3NxMDM5ZjFwMmZ0aGE2M2VvcWFpY2JwamZoLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29t")));
private static final String CLIENT_SECRET = System.getProperty("ext.gdata.clientsecret", new String(Base64.getDecoder().decode("R2V2TnZiTnA2a3IxeDd5c3VZNENmYlNo")));
The Base64 encoding can then be decoded to obtain the client id and client secret. Those credentials can then be used by other applications to request access to Google accounts, pretending they are OpenRefine. This assumes that they also get access to the user access tokens, which this vulnerability doesn't expose by itself.
Patches
The bundled credentials should be revoked.
Workarounds
Users should revoke access to their Google account if they have connected it to OpenRefine.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.openrefine:openrefine"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.8.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-522"
],
"github_reviewed": true,
"github_reviewed_at": "2024-10-24T18:30:00Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\n\nOpenRefine releases contain Google API authentication keys (\"client id\" and \"client secret\") which can be extracted from released artifacts. For instance, download the package for OpenRefine 3.8.2 on linux. It contains the file `openrefine-3.8.2/webapp/extensions/gdata/module/MOD-INF/lib/openrefine-gdata.jar`, which can be extracted.\nThis archive then contains the file `com/google/refine/extension/gdata/GoogleAPIExtension.java`, which contains the following lines:\n\n```java\n // For a production release, the second parameter (default value) can be set\n // for the following three properties (client_id, client_secret, and API key) to\n // the production values from the Google API console\n private static final String CLIENT_ID = System.getProperty(\"ext.gdata.clientid\", new String(Base64.getDecoder().decode(\"ODk1NTU1ODQzNjMwLWhkZWwyN3NxMDM5ZjFwMmZ0aGE2M2VvcWFpY2JwamZoLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29t\")));\n private static final String CLIENT_SECRET = System.getProperty(\"ext.gdata.clientsecret\", new String(Base64.getDecoder().decode(\"R2V2TnZiTnA2a3IxeDd5c3VZNENmYlNo\")));\n```\n\nThe Base64 encoding can then be decoded to obtain the client id and client secret.\nThose credentials can then be used by other applications to request access to Google accounts, pretending they are OpenRefine. This assumes that they also get access to the user access tokens, which this vulnerability doesn\u0027t expose by itself.\n\n### Patches\n\nThe bundled credentials should be revoked.\n\n### Workarounds\n\nUsers should revoke access to their Google account if they have connected it to OpenRefine.\n",
"id": "GHSA-3pg4-qwc8-426r",
"modified": "2024-10-24T18:30:00Z",
"published": "2024-10-24T18:30:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-3pg4-qwc8-426r"
},
{
"type": "WEB",
"url": "https://github.com/OpenRefine/OpenRefine/commit/07dd61e00bb7f472ddcb243631299fba95ad90dd"
},
{
"type": "PACKAGE",
"url": "https://github.com/OpenRefine/OpenRefine"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "OpenRefine leaks Google API credentials in releases"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.