CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
75.5%
org.openrefine, database is vulnerable to Remote Code Execution (RCE). The vulnerability is caused by not validating or sanitizing/escaping the JDBC connection url used while importing data from RDBMS. This can cause an unauthenticated attacker to run arbritrary code on the openfire server by using existing JDBC connection url attacks like MySQL JDBC Deserialization attack using autoDeserialize
and queryInterceptors
parameters in the JDBC connection string.