CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-23833 – OpenRefine JDBC Attack Vulnerability
https://notcve.org/view.php?id=CVE-2024-23833
OpenRefine is a free, open source power tool for working with messy data and improving it. A jdbc attack vulnerability exists in OpenRefine(version<=3.7.7) where an attacker may construct a JDBC query which may read files on the host filesystem. Due to the newer MySQL driver library in the latest version of OpenRefine (8.0.30), there is no associated deserialization utilization point, so original code execution cannot be achieved, but attackers can use this vulnerability to read sensitive files on the target server. This issue has been addressed in version 3.7.8. Users are advised to upgrade. • https://github.com/OpenRefine/OpenRefine/commit/41ccf574847d856e22488a7c0987ad8efa12a84a https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-6p92-qfqf-qwx4 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-41887 – Remote Code exec in project import with mysql jdbc url attack
https://notcve.org/view.php?id=CVE-2023-41887
OpenRefine is a powerful free, open source tool for working with messy data. Prior to version 3.7.5, a remote code execution vulnerability allows any unauthenticated user to execute code on the server. Version 3.7.5 has a patch for this issue. OpenRefine es una potente herramienta gratuita de código abierto para trabajar con datos desordenados. Antes de la versión 3.7.5, una vulnerabilidad de ejecución remota de código permitía a cualquier usuario no autenticado ejecutar código en el servidor. • https://github.com/OpenRefine/OpenRefine/commit/693fde606d4b5b78b16391c29d110389eb605511 https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-p3r5-x3hr-gpg5 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-41886 – OpenRefine vulnerable to arbitrary file read in project import with mysql jdbc url attack
https://notcve.org/view.php?id=CVE-2023-41886
OpenRefine is a powerful free, open source tool for working with messy data. Prior to version 3.7.5, an arbitrary file read vulnerability allows any unauthenticated user to read a file on a server. Version 3.7.5 fixes this issue. OpenRefine es una potente herramienta gratuita de código abierto para trabajar con datos desordenados. Antes de la versión 3.7.5, una vulnerabilidad de lectura de archivos arbitraria permitía a cualquier usuario no autenticado leer un archivo en un servidor. • https://github.com/OpenRefine/OpenRefine/commit/2de1439f5be63d9d0e89bbacbd24fa28c8c3e29d https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-qqh2-wvmv-h72m • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-41401
https://notcve.org/view.php?id=CVE-2022-41401
OpenRefine <= v3.5.2 contains a Server-Side Request Forgery (SSRF) vulnerability, which permits unauthorized users to exploit the system, potentially leading to unauthorized access to internal resources and sensitive file disclosure. OpenRefine contiene una vulnerabilidad de Server-Side Request Forgery (SSRF) que afecta a las versiones 3.5.2 e inferiores. Esto permite a usuarios no autorizados explotar el sistema, llevando potencialmente al acceso no autorizado a recursos internos y a la divulgación de archivos sensibles. • https://github.com/ixSly/CVE-2022-41401 https://github.com/OpenRefine/OpenRefine/blob/30d6edb7b6586623bda09456c797c35983fb80ff/main/tests/server/src/com/google/refine/importing/ImportingUtilitiesTests.java#L180 https://github.com/OpenRefine/OpenRefine/blob/cb55cdfdf6f9ca916839778dc847cce803688998/main/src/com/google/refine/importing/ImportingUtilities.java#L103 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-37476 – Zip slip in OpenRefine
https://notcve.org/view.php?id=CVE-2023-37476
OpenRefine is a free, open source tool for data processing. A carefully crafted malicious OpenRefine project tar file can be used to trigger arbitrary code execution in the context of the OpenRefine process if a user can be convinced to import it. The vulnerability exists in all versions of OpenRefine up to and including 3.7.3. Users should update to OpenRefine 3.7.4 as soon as possible. Users unable to upgrade should only import OpenRefine projects from trusted sources. • https://github.com/OpenRefine/OpenRefine/commit/e9c1e65d58b47aec8cd676bd5c07d97b002f205e https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-m88m-crr9-jvqq • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •