All the vulnerabilites related to OpenRefine - OpenRefine
cve-2024-23833
Vulnerability from cvelistv5
Published
2024-02-12 20:15
Modified
2025-05-07 21:02
Severity ?
EPSS score ?
Summary
OpenRefine JDBC Attack Vulnerability
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-6p92-qfqf-qwx4 | x_refsource_CONFIRM | |
| https://github.com/OpenRefine/OpenRefine/commit/41ccf574847d856e22488a7c0987ad8efa12a84a | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| OpenRefine | OpenRefine |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:13:08.511Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-6p92-qfqf-qwx4",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-6p92-qfqf-qwx4"
},
{
"name": "https://github.com/OpenRefine/OpenRefine/commit/41ccf574847d856e22488a7c0987ad8efa12a84a",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/OpenRefine/OpenRefine/commit/41ccf574847d856e22488a7c0987ad8efa12a84a"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23833",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-14T15:08:29.186095Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-07T21:02:47.536Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "OpenRefine",
"vendor": "OpenRefine",
"versions": [
{
"status": "affected",
"version": "\u003c 3.7.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenRefine is a free, open source power tool for working with messy data and improving it. A jdbc attack vulnerability exists in OpenRefine(version\u003c=3.7.7) where an attacker may construct a JDBC query which may read files on the host filesystem. Due to the newer MySQL driver library in the latest version of OpenRefine (8.0.30), there is no associated deserialization utilization point, so original code execution cannot be achieved, but attackers can use this vulnerability to read sensitive files on the target server. This issue has been addressed in version 3.7.8. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-12T20:15:34.579Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-6p92-qfqf-qwx4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-6p92-qfqf-qwx4"
},
{
"name": "https://github.com/OpenRefine/OpenRefine/commit/41ccf574847d856e22488a7c0987ad8efa12a84a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OpenRefine/OpenRefine/commit/41ccf574847d856e22488a7c0987ad8efa12a84a"
}
],
"source": {
"advisory": "GHSA-6p92-qfqf-qwx4",
"discovery": "UNKNOWN"
},
"title": "OpenRefine JDBC Attack Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-23833",
"datePublished": "2024-02-12T20:15:34.579Z",
"dateReserved": "2024-01-22T22:23:54.340Z",
"dateUpdated": "2025-05-07T21:02:47.536Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-20157
Vulnerability from cvelistv5
Published
2018-12-14 23:00
Modified
2024-08-05 11:51
Severity ?
EPSS score ?
Summary
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/OpenRefine/OpenRefine/issues/1907 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:51:19.259Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/OpenRefine/OpenRefine/issues/1907"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-12-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-12-14T23:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OpenRefine/OpenRefine/issues/1907"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-20157",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/OpenRefine/OpenRefine/issues/1907",
"refsource": "MISC",
"url": "https://github.com/OpenRefine/OpenRefine/issues/1907"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-20157",
"datePublished": "2018-12-14T23:00:00",
"dateReserved": "2018-12-14T00:00:00",
"dateUpdated": "2024-08-05T11:51:19.259Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-47878
Vulnerability from cvelistv5
Published
2024-10-24 20:11
Modified
2024-10-28 13:00
Severity ?
EPSS score ?
Summary
Reflected cross-site scripting vulnerability (XSS) in GData extension (authorized.vt)
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-pw3x-c5vp-mfc3 | x_refsource_CONFIRM | |
| https://github.com/OpenRefine/OpenRefine/commit/10bf0874d67f1018a58b3732332d76b840192fea | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| OpenRefine | OpenRefine |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:openrefine:openrefine:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "openrefine",
"vendor": "openrefine",
"versions": [
{
"lessThan": "3.8.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47878",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-28T13:00:08.510275Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-28T13:00:42.860Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "OpenRefine",
"vendor": "OpenRefine",
"versions": [
{
"status": "affected",
"version": "\u003c 3.8.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the `/extension/gdata/authorized` endpoint includes the `state` GET parameter verbatim in a `\u003cscript\u003e` tag in the output, so without escaping. An attacker could lead or redirect a user to a crafted URL containing JavaScript code, which would then cause that code to be executed in the victim\u0027s browser as if it was part of OpenRefine. Version 3.8.3 fixes this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-24T20:11:19.814Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-pw3x-c5vp-mfc3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-pw3x-c5vp-mfc3"
},
{
"name": "https://github.com/OpenRefine/OpenRefine/commit/10bf0874d67f1018a58b3732332d76b840192fea",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OpenRefine/OpenRefine/commit/10bf0874d67f1018a58b3732332d76b840192fea"
}
],
"source": {
"advisory": "GHSA-pw3x-c5vp-mfc3",
"discovery": "UNKNOWN"
},
"title": "Reflected cross-site scripting vulnerability (XSS) in GData extension (authorized.vt)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47878",
"datePublished": "2024-10-24T20:11:19.814Z",
"dateReserved": "2024-10-04T16:00:09.630Z",
"dateUpdated": "2024-10-28T13:00:42.860Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-47882
Vulnerability from cvelistv5
Published
2024-10-24 20:35
Modified
2024-10-25 19:25
Severity ?
EPSS score ?
Summary
OpenRefine's error page lacks escaping, leading to potential Cross-site Scripting on import of malicious project
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| OpenRefine | OpenRefine |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:openrefine:openrefine:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "openrefine",
"vendor": "openrefine",
"versions": [
{
"lessThan": "3.8.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47882",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-25T19:21:06.124291Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-25T19:25:18.385Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "OpenRefine",
"vendor": "OpenRefine",
"versions": [
{
"status": "affected",
"version": "\u003c 3.8.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the built-in \"Something went wrong!\" error page includes the exception message and exception traceback without escaping HTML tags, enabling injection into the page if an attacker can reliably produce an error with an attacker-influenced message. It appears that the only way to reach this code in OpenRefine itself is for an attacker to somehow convince a victim to import a malicious file, which may be difficult. However, out-of-tree extensions may add their own calls to `respondWithErrorPage`. Version 3.8.3 has a fix for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-81",
"description": "CWE-81: Improper Neutralization of Script in an Error Message Web Page",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-24T20:35:30.254Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-j8hp-f2mj-586g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-j8hp-f2mj-586g"
},
{
"name": "https://github.com/OpenRefine/OpenRefine/commit/85594e75e7b36025f7b6a67dcd3ec253c5dff8c2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OpenRefine/OpenRefine/commit/85594e75e7b36025f7b6a67dcd3ec253c5dff8c2"
},
{
"name": "https://github.com/OpenRefine/OpenRefine/blob/master/main/webapp/modules/core/error.vt#L52-L53",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OpenRefine/OpenRefine/blob/master/main/webapp/modules/core/error.vt#L52-L53"
}
],
"source": {
"advisory": "GHSA-j8hp-f2mj-586g",
"discovery": "UNKNOWN"
},
"title": "OpenRefine\u0027s error page lacks escaping, leading to potential Cross-site Scripting on import of malicious project"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47882",
"datePublished": "2024-10-24T20:35:30.254Z",
"dateReserved": "2024-10-04T16:00:09.631Z",
"dateUpdated": "2024-10-25T19:25:18.385Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-47880
Vulnerability from cvelistv5
Published
2024-10-24 20:21
Modified
2024-10-28 12:59
Severity ?
EPSS score ?
Summary
OpenRefine has a reflected cross-site scripting vulnerability from POST request in ExportRowsCommand
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-79jv-5226-783f | x_refsource_CONFIRM | |
| https://github.com/OpenRefine/OpenRefine/commit/8060477fa53842ebabf43b63e039745932fa629d | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| OpenRefine | OpenRefine |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:openrefine:openrefine:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "openrefine",
"vendor": "openrefine",
"versions": [
{
"lessThan": "3.8.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47880",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-28T12:58:37.653606Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-28T12:59:44.139Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "OpenRefine",
"vendor": "OpenRefine",
"versions": [
{
"status": "affected",
"version": "\u003c 3.8.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the `export-rows` command can be used in such a way that it reflects part of the request verbatim, with a Content-Type header also taken from the request. An attacker could lead a user to a malicious page that submits a form POST that contains embedded JavaScript code. This code would then be included in the response, along with an attacker-controlled `Content-Type` header, and so potentially executed in the victim\u0027s browser as if it was part of OpenRefine. The attacker-provided code can do anything the user can do, including deleting projects, retrieving database passwords, or executing arbitrary Jython or Closure expressions, if those extensions are also present. The attacker must know a valid project ID of a project that contains at least one row. Version 3.8.3 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-348",
"description": "CWE-348: Use of Less Trusted Source",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-24T20:21:49.595Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-79jv-5226-783f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-79jv-5226-783f"
},
{
"name": "https://github.com/OpenRefine/OpenRefine/commit/8060477fa53842ebabf43b63e039745932fa629d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OpenRefine/OpenRefine/commit/8060477fa53842ebabf43b63e039745932fa629d"
}
],
"source": {
"advisory": "GHSA-79jv-5226-783f",
"discovery": "UNKNOWN"
},
"title": "OpenRefine has a reflected cross-site scripting vulnerability from POST request in ExportRowsCommand"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47880",
"datePublished": "2024-10-24T20:21:49.595Z",
"dateReserved": "2024-10-04T16:00:09.630Z",
"dateUpdated": "2024-10-28T12:59:44.139Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-19859
Vulnerability from cvelistv5
Published
2018-12-05 11:00
Modified
2024-08-05 11:44
Severity ?
EPSS score ?
Summary
OpenRefine before 3.2 beta allows directory traversal via a relative pathname in a ZIP archive.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/OpenRefine/OpenRefine/issues/1840 | x_refsource_MISC | |
| https://github.com/OpenRefine/OpenRefine/pull/1901 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:44:20.563Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/OpenRefine/OpenRefine/issues/1840"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/OpenRefine/OpenRefine/pull/1901"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-12-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "OpenRefine before 3.2 beta allows directory traversal via a relative pathname in a ZIP archive."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-03-25T21:13:13",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OpenRefine/OpenRefine/issues/1840"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OpenRefine/OpenRefine/pull/1901"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-19859",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OpenRefine before 3.2 beta allows directory traversal via a relative pathname in a ZIP archive."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/OpenRefine/OpenRefine/issues/1840",
"refsource": "MISC",
"url": "https://github.com/OpenRefine/OpenRefine/issues/1840"
},
{
"name": "https://github.com/OpenRefine/OpenRefine/pull/1901",
"refsource": "CONFIRM",
"url": "https://github.com/OpenRefine/OpenRefine/pull/1901"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-19859",
"datePublished": "2018-12-05T11:00:00",
"dateReserved": "2018-12-05T00:00:00",
"dateUpdated": "2024-08-05T11:44:20.563Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-37476
Vulnerability from cvelistv5
Published
2023-07-17 21:02
Modified
2025-06-10 15:30
Severity ?
EPSS score ?
Summary
Zip slip in OpenRefine
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-m88m-crr9-jvqq | x_refsource_CONFIRM | |
| https://github.com/OpenRefine/OpenRefine/commit/e9c1e65d58b47aec8cd676bd5c07d97b002f205e | x_refsource_MISC | |
| https://github.com/OpenRefine/OpenRefine/releases/tag/3.7.4 | x_refsource_MISC | |
| https://www.sonarsource.com/blog/openrefine-zip-slip | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| OpenRefine | OpenRefine |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:16:30.319Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-m88m-crr9-jvqq",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-m88m-crr9-jvqq"
},
{
"name": "https://github.com/OpenRefine/OpenRefine/commit/e9c1e65d58b47aec8cd676bd5c07d97b002f205e",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/OpenRefine/OpenRefine/commit/e9c1e65d58b47aec8cd676bd5c07d97b002f205e"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-37476",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-10T19:06:55.729037Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-10T19:19:28.239Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "OpenRefine",
"vendor": "OpenRefine",
"versions": [
{
"status": "affected",
"version": "\u003c 3.7.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenRefine is a free, open source tool for data processing. A carefully crafted malicious OpenRefine project tar file can be used to trigger arbitrary code execution in the context of the OpenRefine process if a user can be convinced to import it. The vulnerability exists in all versions of OpenRefine up to and including 3.7.3. Users should update to OpenRefine 3.7.4 as soon as possible. Users unable to upgrade should only import OpenRefine projects from trusted sources."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T15:30:33.285Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-m88m-crr9-jvqq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-m88m-crr9-jvqq"
},
{
"name": "https://github.com/OpenRefine/OpenRefine/commit/e9c1e65d58b47aec8cd676bd5c07d97b002f205e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OpenRefine/OpenRefine/commit/e9c1e65d58b47aec8cd676bd5c07d97b002f205e"
},
{
"name": "https://github.com/OpenRefine/OpenRefine/releases/tag/3.7.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OpenRefine/OpenRefine/releases/tag/3.7.4"
},
{
"name": "https://www.sonarsource.com/blog/openrefine-zip-slip",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.sonarsource.com/blog/openrefine-zip-slip"
}
],
"source": {
"advisory": "GHSA-m88m-crr9-jvqq",
"discovery": "UNKNOWN"
},
"title": "Zip slip in OpenRefine"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-37476",
"datePublished": "2023-07-17T21:02:46.588Z",
"dateReserved": "2023-07-06T13:01:36.999Z",
"dateUpdated": "2025-06-10T15:30:33.285Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-47881
Vulnerability from cvelistv5
Published
2024-10-24 20:31
Modified
2024-10-25 19:07
Severity ?
EPSS score ?
Summary
OpenRefine's SQLite integration allows filesystem access, remote code execution (RCE)
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-87cf-j763-vvh8 | x_refsource_CONFIRM | |
| https://github.com/OpenRefine/OpenRefine/commit/853a1d91662e7dc278a9a94a38be58de04494056 | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| OpenRefine | OpenRefine |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:openrefine:openrefine:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "openrefine",
"vendor": "openrefine",
"versions": [
{
"lessThanOrEqual": "3.4-beta",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "3.8.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47881",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-25T19:04:19.426390Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-25T19:07:07.083Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "OpenRefine",
"vendor": "OpenRefine",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.4-beta, \u003c 3.8.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenRefine is a free, open source tool for working with messy data. Starting in version 3.4-beta and prior to version 3.8.3, in the `database` extension, the \"enable_load_extension\" property can be set for the SQLite integration, enabling an attacker to load (local or remote) extension DLLs and so run arbitrary code on the server. The attacker needs to have network access to the OpenRefine instance. Version 3.8.3 fixes this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-24T20:31:09.314Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-87cf-j763-vvh8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-87cf-j763-vvh8"
},
{
"name": "https://github.com/OpenRefine/OpenRefine/commit/853a1d91662e7dc278a9a94a38be58de04494056",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OpenRefine/OpenRefine/commit/853a1d91662e7dc278a9a94a38be58de04494056"
}
],
"source": {
"advisory": "GHSA-87cf-j763-vvh8",
"discovery": "UNKNOWN"
},
"title": "OpenRefine\u0027s SQLite integration allows filesystem access, remote code execution (RCE)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47881",
"datePublished": "2024-10-24T20:31:09.314Z",
"dateReserved": "2024-10-04T16:00:09.631Z",
"dateUpdated": "2024-10-25T19:07:07.083Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-47879
Vulnerability from cvelistv5
Published
2024-10-24 20:17
Modified
2024-10-25 15:24
Severity ?
EPSS score ?
Summary
OpenRefine's PreviewExpressionCommand, which is eval, lacks protection against cross-site request forgery (CSRF)
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-3jm4-c6qf-jrh3 | x_refsource_CONFIRM | |
| https://github.com/OpenRefine/OpenRefine/commit/090924ca923489b6c94397cf1f5df7f7f78f0126 | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| OpenRefine | OpenRefine |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:openrefine:openrefine:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "openrefine",
"vendor": "openrefine",
"versions": [
{
"lessThan": "3.8.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47879",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-25T15:23:58.665357Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-25T15:24:58.242Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "OpenRefine",
"vendor": "OpenRefine",
"versions": [
{
"status": "affected",
"version": "\u003c 3.8.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, lack of cross-site request forgery protection on the `preview-expression` command means that visiting a malicious website could cause an attacker-controlled expression to be executed. The expression can contain arbitrary Clojure or Python code. The attacker must know a valid project ID of a project that contains at least one row, and the attacker must convince the victim to open a malicious webpage. Version 3.8.3 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-24T20:17:55.106Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-3jm4-c6qf-jrh3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-3jm4-c6qf-jrh3"
},
{
"name": "https://github.com/OpenRefine/OpenRefine/commit/090924ca923489b6c94397cf1f5df7f7f78f0126",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OpenRefine/OpenRefine/commit/090924ca923489b6c94397cf1f5df7f7f78f0126"
}
],
"source": {
"advisory": "GHSA-3jm4-c6qf-jrh3",
"discovery": "UNKNOWN"
},
"title": "OpenRefine\u0027s PreviewExpressionCommand, which is eval, lacks protection against cross-site request forgery (CSRF)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47879",
"datePublished": "2024-10-24T20:17:55.106Z",
"dateReserved": "2024-10-04T16:00:09.630Z",
"dateUpdated": "2024-10-25T15:24:58.242Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-41886
Vulnerability from cvelistv5
Published
2023-09-15 20:05
Modified
2024-09-25 18:48
Severity ?
EPSS score ?
Summary
OpenRefine vulnerable to arbitrary file read in project import with mysql jdbc url attack
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-qqh2-wvmv-h72m | x_refsource_CONFIRM | |
| https://github.com/OpenRefine/OpenRefine/commit/2de1439f5be63d9d0e89bbacbd24fa28c8c3e29d | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| OpenRefine | OpenRefine |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:09:49.319Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-qqh2-wvmv-h72m",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-qqh2-wvmv-h72m"
},
{
"name": "https://github.com/OpenRefine/OpenRefine/commit/2de1439f5be63d9d0e89bbacbd24fa28c8c3e29d",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/OpenRefine/OpenRefine/commit/2de1439f5be63d9d0e89bbacbd24fa28c8c3e29d"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41886",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-25T18:48:10.230739Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T18:48:19.859Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "OpenRefine",
"vendor": "OpenRefine",
"versions": [
{
"status": "affected",
"version": "\u003c= 3.7.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenRefine is a powerful free, open source tool for working with messy data. Prior to version 3.7.5, an arbitrary file read vulnerability allows any unauthenticated user to read a file on a server. Version 3.7.5 fixes this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-15T20:05:20.651Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-qqh2-wvmv-h72m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-qqh2-wvmv-h72m"
},
{
"name": "https://github.com/OpenRefine/OpenRefine/commit/2de1439f5be63d9d0e89bbacbd24fa28c8c3e29d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OpenRefine/OpenRefine/commit/2de1439f5be63d9d0e89bbacbd24fa28c8c3e29d"
}
],
"source": {
"advisory": "GHSA-qqh2-wvmv-h72m",
"discovery": "UNKNOWN"
},
"title": "OpenRefine vulnerable to arbitrary file read in project import with mysql jdbc url attack"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-41886",
"datePublished": "2023-09-15T20:05:20.651Z",
"dateReserved": "2023-09-04T16:31:48.224Z",
"dateUpdated": "2024-09-25T18:48:19.859Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-41887
Vulnerability from cvelistv5
Published
2023-09-15 20:06
Modified
2024-09-25 18:55
Severity ?
EPSS score ?
Summary
Remote Code exec in project import with mysql jdbc url attack
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-p3r5-x3hr-gpg5 | x_refsource_CONFIRM | |
| https://github.com/OpenRefine/OpenRefine/commit/693fde606d4b5b78b16391c29d110389eb605511 | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| OpenRefine | OpenRefine |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:09:49.411Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-p3r5-x3hr-gpg5",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-p3r5-x3hr-gpg5"
},
{
"name": "https://github.com/OpenRefine/OpenRefine/commit/693fde606d4b5b78b16391c29d110389eb605511",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/OpenRefine/OpenRefine/commit/693fde606d4b5b78b16391c29d110389eb605511"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41887",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-25T18:54:54.683245Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T18:55:03.906Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "OpenRefine",
"vendor": "OpenRefine",
"versions": [
{
"status": "affected",
"version": "\u003c= 3.7.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenRefine is a powerful free, open source tool for working with messy data. Prior to version 3.7.5, a remote code execution vulnerability allows any unauthenticated user to execute code on the server. Version 3.7.5 has a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-15T20:06:55.728Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-p3r5-x3hr-gpg5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-p3r5-x3hr-gpg5"
},
{
"name": "https://github.com/OpenRefine/OpenRefine/commit/693fde606d4b5b78b16391c29d110389eb605511",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OpenRefine/OpenRefine/commit/693fde606d4b5b78b16391c29d110389eb605511"
}
],
"source": {
"advisory": "GHSA-p3r5-x3hr-gpg5",
"discovery": "UNKNOWN"
},
"title": "Remote Code exec in project import with mysql jdbc url attack"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-41887",
"datePublished": "2023-09-15T20:06:55.728Z",
"dateReserved": "2023-09-04T16:31:48.224Z",
"dateUpdated": "2024-09-25T18:55:03.906Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-49760
Vulnerability from cvelistv5
Published
2024-10-24 21:35
Modified
2024-10-25 17:22
Severity ?
EPSS score ?
Summary
OpenRefine has a path traversal in LoadLanguageCommand
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-qfwq-6jh6-8xx4 | x_refsource_CONFIRM | |
| https://github.com/OpenRefine/OpenRefine/commit/24d084052dc55426fe460f2a17524fd18d28b20c | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| OpenRefine | OpenRefine |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-49760",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-25T17:21:54.896334Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-25T17:22:03.158Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "OpenRefine",
"vendor": "OpenRefine",
"versions": [
{
"status": "affected",
"version": "\u003c 3.8.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenRefine is a free, open source tool for working with messy data. The load-language command expects a `lang` parameter from which it constructs the path of the localization file to load, of the form `translations-$LANG.json`. But when doing so in versions prior to 3.8.3, it does not check that the resulting path is in the expected directory, which means that this command could be exploited to read other JSON files on the file system. Version 3.8.3 addresses this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-24T21:35:28.932Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-qfwq-6jh6-8xx4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-qfwq-6jh6-8xx4"
},
{
"name": "https://github.com/OpenRefine/OpenRefine/commit/24d084052dc55426fe460f2a17524fd18d28b20c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OpenRefine/OpenRefine/commit/24d084052dc55426fe460f2a17524fd18d28b20c"
}
],
"source": {
"advisory": "GHSA-qfwq-6jh6-8xx4",
"discovery": "UNKNOWN"
},
"title": "OpenRefine has a path traversal in LoadLanguageCommand"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-49760",
"datePublished": "2024-10-24T21:35:28.932Z",
"dateReserved": "2024-10-18T13:43:23.455Z",
"dateUpdated": "2024-10-25T17:22:03.158Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-3580
Vulnerability from cvelistv5
Published
2019-01-03 01:00
Modified
2024-09-16 23:10
Severity ?
EPSS score ?
Summary
OpenRefine through 3.1 allows arbitrary file write because Directory Traversal can occur during the import of a crafted project file.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/OpenRefine/OpenRefine/issues/1927 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T19:12:09.562Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/OpenRefine/OpenRefine/issues/1927"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenRefine through 3.1 allows arbitrary file write because Directory Traversal can occur during the import of a crafted project file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-01-03T01:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OpenRefine/OpenRefine/issues/1927"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-3580",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OpenRefine through 3.1 allows arbitrary file write because Directory Traversal can occur during the import of a crafted project file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/OpenRefine/OpenRefine/issues/1927",
"refsource": "MISC",
"url": "https://github.com/OpenRefine/OpenRefine/issues/1927"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-3580",
"datePublished": "2019-01-03T01:00:00Z",
"dateReserved": "2019-01-02T00:00:00Z",
"dateUpdated": "2024-09-16T23:10:24.440Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-41401
Vulnerability from cvelistv5
Published
2023-08-04 00:00
Modified
2024-10-17 15:42
Severity ?
EPSS score ?
Summary
OpenRefine <= v3.5.2 contains a Server-Side Request Forgery (SSRF) vulnerability, which permits unauthorized users to exploit the system, potentially leading to unauthorized access to internal resources and sensitive file disclosure.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:42:46.213Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/OpenRefine/OpenRefine/blob/30d6edb7b6586623bda09456c797c35983fb80ff/main/tests/server/src/com/google/refine/importing/ImportingUtilitiesTests.java#L180"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/OpenRefine/OpenRefine/blob/cb55cdfdf6f9ca916839778dc847cce803688998/main/src/com/google/refine/importing/ImportingUtilities.java#L103"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/ixSly/CVE-2022-41401"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-41401",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-17T15:42:18.813941Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-17T15:42:26.366Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenRefine \u003c= v3.5.2 contains a Server-Side Request Forgery (SSRF) vulnerability, which permits unauthorized users to exploit the system, potentially leading to unauthorized access to internal resources and sensitive file disclosure."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-04T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/OpenRefine/OpenRefine/blob/30d6edb7b6586623bda09456c797c35983fb80ff/main/tests/server/src/com/google/refine/importing/ImportingUtilitiesTests.java#L180"
},
{
"url": "https://github.com/OpenRefine/OpenRefine/blob/cb55cdfdf6f9ca916839778dc847cce803688998/main/src/com/google/refine/importing/ImportingUtilities.java#L103"
},
{
"url": "https://github.com/ixSly/CVE-2022-41401"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-41401",
"datePublished": "2023-08-04T00:00:00",
"dateReserved": "2022-09-26T00:00:00",
"dateUpdated": "2024-10-17T15:42:26.366Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}