CVE-2024-47881 Information

Nov 01, 2024 cve

Description

OpenRefine is a free open source tool for working with messy data. Starting in version 3.4-beta and prior to version 3.8.3 in the database extension the nable_load_extension\ property can be set for the SQLite integration enabling an attacker to load (local or remote) extension DLLs and so run arbitrary code on the server. The attacker needs to have network access to the OpenRefine instance. Version 3.8.3 fixes this issue.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Reference

https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-87cf-j763-vvh8 https://github.com/OpenRefine/OpenRefine/commit/853a1d91662e7dc278a9a94a38be58de04494056

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.8

Share on: