Openrefine
CVE-2024-23833
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
OpenRefine is a free, open source power tool for working with messy data and improving it. A jdbc attack vulnerability exists in OpenRefine(version<=3.7.7) where an attacker may construct a JDBC query which may read files on the host filesystem. Due to the newer MySQL driver library in the latest version of OpenRefine (8.0.30), there is no associated deserialization utilization point, so original code execution cannot be achieved, but attackers can use this vulnerability to read sensitive files on the target server. This issue has been addressed in version 3.7.8. Users are advised to upgrade. There are no known workarounds for this vulnerability.
AnalysisAI
OpenRefine is a free, open source power tool for working with messy data and improving it. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified as Path Traversal (CWE-22), which allows attackers to access files and directories outside the intended path. OpenRefine is a free, open source power tool for working with messy data and improving it. A jdbc attack vulnerability exists in OpenRefine(version<=3.7.7) where an attacker may construct a JDBC query which may read files on the host filesystem. Due to the newer MySQL driver library in the latest version of OpenRefine (8.0.30), there is no associated deserialization utilization point, so original code execution cannot be achieved, but attackers can use this vulnerability to read sensitive files on the target server. This issue has been addressed in version 3.7.8. Users are advised to upgrade. There are no known workarounds for this vulnerability. Affected products include: Openrefine. Version information: version 3.7.8..
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Validate and canonicalize file paths. Use chroot or sandboxing. Reject input containing path separators or '../' sequences.
More in Openrefine
View allOpenRefine is a powerful free, open source tool for working with messy data. Rated critical severity (CVSS 9.8), this vu
OpenRefine is a free, open source tool for working with messy data. Rated high severity (CVSS 8.8), this vulnerability i
OpenRefine is a free, open source tool for working with messy data. Rated high severity (CVSS 8.8), this vulnerability i
OpenRefine is a powerful free, open source tool for working with messy data. Rated high severity (CVSS 7.5), this vulner
OpenRefine through 3.1 allows arbitrary file write because Directory Traversal can occur during the import of a crafted
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zi
OpenRefine is a free, open source tool for working with messy data. Rated medium severity (CVSS 6.9), this vulnerability
OpenRefine before 3.2 beta allows directory traversal via a relative pathname in a ZIP archive. Rated medium severity (C
OpenRefine is a free, open source tool for working with messy data. Rated medium severity (CVSS 6.1), this vulnerability
OpenRefine is a free, open source tool for working with messy data. Rated medium severity (CVSS 6.1), this vulnerability
OpenRefine is a free, open source tool for data processing. Rated high severity (CVSS 7.8), this vulnerability is no aut
OpenRefine is a free, open source tool for working with messy data. Rated medium severity (CVSS 5.3), this vulnerability
Same weakness CWE-22 – Path Traversal
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today