CVE-2023-41887
published 2023-09-15CVE-2023-41887: OpenRefine is a powerful free, open source tool for working with messy data. Prior to version 3.7.5, a remote code execution vulnerability allows any…
PriorityP278critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
45.47%
98.6th percentile
OpenRefine is a powerful free, open source tool for working with messy data. Prior to version 3.7.5, a remote code execution vulnerability allows any unauthenticated user to execute code on the server. Version 3.7.5 has a patch for this issue.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | openrefine | < openrefine 3.6.2-2+deb12u2 (bookworm) | openrefine 3.6.2-2+deb12u2 (bookworm) |
| openrefine | openrefine | < 3.7.5 | 3.7.5 |
| openrefine | openrefine | <= 3.7.4 | — |
| openrefine | openrefine | >= 0 < 3.6.2-2+deb12u2 | 3.6.2-2+deb12u2 |
| openrefine | openrefine | >= 0 < 3.7.5-1 | 3.7.5-1 |
| openrefine | openrefine | >= 0 < 3.7.5-1 | 3.7.5-1 |
| openrefine | openrefine | >= 0 < 3.5.2-1ubuntu0.1~esm1 | 3.5.2-1ubuntu0.1~esm1 |
| openrefine | openrefine | >= 0 < 3.7.7-1ubuntu0.1~esm1 | 3.7.7-1ubuntu0.1~esm1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Unauthenticated remote code execution in OpenRefine versions prior to 3.7.5; detect exploitation attempts targeting OpenRefine HTTP endpoints without authentication headers
- ·Vulnerable versions are OpenRefine < 3.7.5; patched in 3.7.5. Debian bookworm fix is in 3.6.2-2+deb12u2. ↗
- ·Debian bookworm resolves this with a backport (3.6.2-2+deb12u2), not the upstream 3.7.5 release; ensure version checks account for this. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_ubuntu5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
OpenRefine vulnerabilities
vendor_ubuntu·2025-02-10·CVSS 5.5
CVE-2024-47882 [MEDIUM] OpenRefine vulnerabilities
Title: OpenRefine vulnerabilities
Summary: Several security issues were fixed in OpenRefine.
It was discovered that OpenRefine did not properly handle opening tar
files. If a user or application were tricked into opening a crafted tar
file, an attacker could possibly use this issue to execute arbitrary code.
This issue only affected Ubuntu 22.04 LTS. (CVE-2023-37476)
It was discovered that OpenRefine incorrectly handled file permissions and
user authentication. An unauthenticated attacker could possibly use this
issue to leak sensitive information or execute arbitrary code. This issue
only affected Ubuntu 22.04 LTS. (CVE-2023-41886, CVE-2023-41887)
It was discovered that OpenRefine did not properly disallow database
settings to be modified when queried. An attacker could possibly use t
Debian
CVE-2023-41887: openrefine - OpenRefine is a powerful free, open source tool for working with messy data. Pri...
vendor_debian·2023·CVSS 9.8
CVE-2023-41887 [CRITICAL] CVE-2023-41887: openrefine - OpenRefine is a powerful free, open source tool for working with messy data. Pri...
OpenRefine is a powerful free, open source tool for working with messy data. Prior to version 3.7.5, a remote code execution vulnerability allows any unauthenticated user to execute code on the server. Version 3.7.5 has a patch for this issue.
Scope: local
bookworm: resolved (fixed in 3.6.2-2+deb12u2)
forky: resolved (fixed in 3.7.5-1)
sid: resolved (fixed in 3.7.5-1)
trixie: resolved (fixed in 3.7.5-1)
OSV
openrefine vulnerabilities
osv·2025-02-10·CVSS 7.8
CVE-2023-37476 [HIGH] openrefine vulnerabilities
openrefine vulnerabilities
It was discovered that OpenRefine did not properly handle opening tar
files. If a user or application were tricked into opening a crafted tar
file, an attacker could possibly use this issue to execute arbitrary code.
This issue only affected Ubuntu 22.04 LTS. (CVE-2023-37476)
It was discovered that OpenRefine incorrectly handled file permissions and
user authentication. An unauthenticated attacker could possibly use this
issue to leak sensitive information or execute arbitrary code. This issue
only affected Ubuntu 22.04 LTS. (CVE-2023-41886, CVE-2023-41887)
It was discovered that OpenRefine did not properly disallow database
settings to be modified when queried. An attacker could possibly use this
issue to leak sensitive information. This issue only affected
U
GHSA
OpenRefine JDBC Attack Vulnerability
ghsa·2024-02-12·CVSS 9.8
CVE-2024-23833 [CRITICAL] CWE-22 OpenRefine JDBC Attack Vulnerability
OpenRefine JDBC Attack Vulnerability
### Summary
A jdbc attack vulnerability exists in OpenRefine(version<=3.7.7)
### Details
#### Vulnerability Recurrence
Start by constructing a malicious MySQL Server (using the open source project MySQL_Fake_Server here).
Then go to the Jdbc connection trigger vulnerability
#### Vulnerability Analysis
This vulnerability is the bypass of `CVE-2023-41887` vulnerability repair, the main vulnerability principle is actually the use of official syntax features, as shown in the following figure, when the connection we can perform parameter configuration in the Host part
In `com.google.refine.extension.database.mysql.MySQLConnectionManager#getConnection` method in the final JdbcUrl structure
That is, in the ` toURI` method call here, you can see that the
OSV
OpenRefine JDBC Attack Vulnerability
osv·2024-02-12·CVSS 9.8
CVE-2024-23833 [CRITICAL] OpenRefine JDBC Attack Vulnerability
OpenRefine JDBC Attack Vulnerability
### Summary
A jdbc attack vulnerability exists in OpenRefine(version<=3.7.7)
### Details
#### Vulnerability Recurrence
Start by constructing a malicious MySQL Server (using the open source project MySQL_Fake_Server here).
Then go to the Jdbc connection trigger vulnerability
#### Vulnerability Analysis
This vulnerability is the bypass of `CVE-2023-41887` vulnerability repair, the main vulnerability principle is actually the use of official syntax features, as shown in the following figure, when the connection we can perform parameter configuration in the Host part
In `com.google.refine.extension.database.mysql.MySQLConnectionManager#getConnection` method in the final JdbcUrl structure
That is, in the ` toURI` method call here, you can see that the
OSV
CVE-2023-41887: OpenRefine is a powerful free, open source tool for working with messy data
osv·2023-09-15·CVSS 9.8
CVE-2023-41887 [CRITICAL] CVE-2023-41887: OpenRefine is a powerful free, open source tool for working with messy data
OpenRefine is a powerful free, open source tool for working with messy data. Prior to version 3.7.5, a remote code execution vulnerability allows any unauthenticated user to execute code on the server. Version 3.7.5 has a patch for this issue.
OSV
OpenRefine Remote Code execution in project import with mysql jdbc url attack
osv·2023-09-12
CVE-2023-41887 [CRITICAL] OpenRefine Remote Code execution in project import with mysql jdbc url attack
OpenRefine Remote Code execution in project import with mysql jdbc url attack
### Summary
An remote Code exec vulnerability allows any unauthenticated user to exec code on the server.
### Details
Hi,Team,
i find openrefine support to import data from database,When use mysql jdbc to connect to database,It is vulnerable to jdbc url attacks,for example,unauthenticated attacker can get rce on the server through the mysql userializable If the mysql-connector-java version used on the server side is less than 8.20.
In order for the server to enable deserialization we need to set the `autoDeserialize` and `queryInterceptors` parameters in the connection string,As same with https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-qqh2-wvmv-h72m, since the concatenation string is a direct
GHSA
OpenRefine Remote Code execution in project import with mysql jdbc url attack
ghsa·2023-09-12
CVE-2023-41887 [CRITICAL] CWE-89 OpenRefine Remote Code execution in project import with mysql jdbc url attack
OpenRefine Remote Code execution in project import with mysql jdbc url attack
### Summary
An remote Code exec vulnerability allows any unauthenticated user to exec code on the server.
### Details
Hi,Team,
i find openrefine support to import data from database,When use mysql jdbc to connect to database,It is vulnerable to jdbc url attacks,for example,unauthenticated attacker can get rce on the server through the mysql userializable If the mysql-connector-java version used on the server side is less than 8.20.
In order for the server to enable deserialization we need to set the `autoDeserialize` and `queryInterceptors` parameters in the connection string,As same with https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-qqh2-wvmv-h72m, since the concatenation string is a direct
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/OpenRefine/OpenRefine/commit/693fde606d4b5b78b16391c29d110389eb605511https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-p3r5-x3hr-gpg5https://github.com/OpenRefine/OpenRefine/commit/693fde606d4b5b78b16391c29d110389eb605511https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-p3r5-x3hr-gpg5
2023-09-15
Published