CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
10.5%
OpenRefine is a free, open source power tool for working with messy data
and improving it. A jdbc attack vulnerability exists in
OpenRefine(version<=3.7.7) where an attacker may construct a JDBC query
which may read files on the host filesystem. Due to the newer MySQL driver
library in the latest version of OpenRefine (8.0.30), there is no
associated deserialization utilization point, so original code execution
cannot be achieved, but attackers can use this vulnerability to read
sensitive files on the target server. This issue has been addressed in
version 3.7.8. Users are advised to upgrade. There are no known workarounds
for this vulnerability.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 22.04 | noarch | openrefine | < any | UNKNOWN |
ubuntu | 24.04 | noarch | openrefine | < any | UNKNOWN |
github.com/OpenRefine/OpenRefine/commit/41ccf574847d856e22488a7c0987ad8efa12a84a (3.7.8)
github.com/OpenRefine/OpenRefine/security/advisories/GHSA-6p92-qfqf-qwx4
launchpad.net/bugs/cve/CVE-2024-23833
nvd.nist.gov/vuln/detail/CVE-2024-23833
security-tracker.debian.org/tracker/CVE-2024-23833
www.cve.org/CVERecord?id=CVE-2024-23833