OpenRefine is a free, open source tool for working with messy data. Starting in version 3.4-beta and prior to version 3.8.3, in the `database` extension, the "enable_load_extension" property can be set for the SQLite integration, enabling an attacker to load (local or remote) extension DLLs and so run arbitrary code on the server. The attacker needs to have network access to the OpenRefine instance. Version 3.8.3 fixes this issue.
References
Link | Resource |
---|---|
https://github.com/OpenRefine/OpenRefine/commit/853a1d91662e7dc278a9a94a38be58de04494056 | Patch |
https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-87cf-j763-vvh8 | Exploit Third Party Advisory |
Configurations
History
28 Oct 2024, 14:14
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:openrefine:openrefine:*:*:*:*:*:*:*:* | |
First Time |
Openrefine openrefine
Openrefine |
|
References | () https://github.com/OpenRefine/OpenRefine/commit/853a1d91662e7dc278a9a94a38be58de04494056 - Patch | |
References | () https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-87cf-j763-vvh8 - Exploit, Third Party Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.8 |
25 Oct 2024, 12:56
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
24 Oct 2024, 21:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-10-24 21:15
Updated : 2024-10-28 14:14
NVD link : CVE-2024-47881
Mitre link : CVE-2024-47881
CVE.ORG link : CVE-2024-47881
JSON object : View
Products Affected
openrefine
- openrefine
CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')