GHSA-3pg4-qwc8-426r

Suggest an improvement
Source
https://github.com/advisories/GHSA-3pg4-qwc8-426r
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-3pg4-qwc8-426r/GHSA-3pg4-qwc8-426r.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-3pg4-qwc8-426r
Published
2024-10-24T18:30:00Z
Modified
2024-12-04T05:28:00.896147Z
Summary
OpenRefine leaks Google API credentials in releases
Details

Impact

OpenRefine releases contain Google API authentication keys ("client id" and "client secret") which can be extracted from released artifacts. For instance, download the package for OpenRefine 3.8.2 on linux. It contains the file openrefine-3.8.2/webapp/extensions/gdata/module/MOD-INF/lib/openrefine-gdata.jar, which can be extracted. This archive then contains the file com/google/refine/extension/gdata/GoogleAPIExtension.java, which contains the following lines:

    // For a production release, the second parameter (default value) can be set
    // for the following three properties (client_id, client_secret, and API key) to
    // the production values from the Google API console
    private static final String CLIENT_ID = System.getProperty("ext.gdata.clientid", new String(Base64.getDecoder().decode("ODk1NTU1ODQzNjMwLWhkZWwyN3NxMDM5ZjFwMmZ0aGE2M2VvcWFpY2JwamZoLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29t")));
    private static final String CLIENT_SECRET = System.getProperty("ext.gdata.clientsecret", new String(Base64.getDecoder().decode("R2V2TnZiTnA2a3IxeDd5c3VZNENmYlNo")));

The Base64 encoding can then be decoded to obtain the client id and client secret. Those credentials can then be used by other applications to request access to Google accounts, pretending they are OpenRefine. This assumes that they also get access to the user access tokens, which this vulnerability doesn't expose by itself.

Patches

The bundled credentials should be revoked.

Workarounds

Users should revoke access to their Google account if they have connected it to OpenRefine.

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-522"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-24T18:30:00Z"
}
References

Affected packages

Maven / org.openrefine:openrefine

Package

Name
org.openrefine:openrefine
View open source insights on deps.dev
Purl
pkg:maven/org.openrefine/openrefine

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.8.3

Affected versions

3.*

3.6-beta1
3.6-beta2
3.6-rc1
3.6.0
3.6.1
3.6.2
3.7-beta1
3.7-beta2
3.7.0
3.7.2
3.8-beta1
3.8-beta5
3.8.0
3.8.1
3.8.2