CVE-2024-23833 - Vulnerability Details

Vendors	Products
Openrefine	Openrefine

Link	Providers
https://github.com/OpenRefine/OpenRefine/commit/41ccf574847d856e22488a7c0987ad8efa12a84a
https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-6p92-qfqf-qwx4

Type	Values Removed	Values Added
First Time appeared		Openrefine Openrefine openrefine
Weaknesses		CWE-863
CPEs		cpe:2.3:a:openrefine:openrefine::::::::
Vendors & Products		Openrefine Openrefine openrefine

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-23833", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-01-22T22:23:54.340Z", "datePublished": "2024-02-12T20:15:34.579Z", "dateUpdated": "2024-08-01T23:13:08.511Z"}, "containers": {"cna": {"title": "OpenRefine JDBC Attack Vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-6p92-qfqf-qwx4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-6p92-qfqf-qwx4"}, {"name": "https://github.com/OpenRefine/OpenRefine/commit/41ccf574847d856e22488a7c0987ad8efa12a84a", "tags": ["x_refsource_MISC"], "url": "https://github.com/OpenRefine/OpenRefine/commit/41ccf574847d856e22488a7c0987ad8efa12a84a"}], "affected": [{"vendor": "OpenRefine", "product": "OpenRefine", "versions": [{"version": "< 3.7.8", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-02-12T20:15:34.579Z"}, "descriptions": [{"lang": "en", "value": "OpenRefine is a free, open source power tool for working with messy data and improving it. A jdbc attack vulnerability exists in OpenRefine(version<=3.7.7) where an attacker may construct a JDBC query which may read files on the host filesystem. Due to the newer MySQL driver library in the latest version of OpenRefine (8.0.30), there is no associated deserialization utilization point, so original code execution cannot be achieved, but attackers can use this vulnerability to read sensitive files on the target server. This issue has been addressed in version 3.7.8. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "source": {"advisory": "GHSA-6p92-qfqf-qwx4", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:13:08.511Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-6p92-qfqf-qwx4", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-6p92-qfqf-qwx4"}, {"name": "https://github.com/OpenRefine/OpenRefine/commit/41ccf574847d856e22488a7c0987ad8efa12a84a", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/OpenRefine/OpenRefine/commit/41ccf574847d856e22488a7c0987ad8efa12a84a"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openrefine:openrefine:*:*:*:*:*:*:*:*", "matchCriteriaId": "05E76B8C-0DC1-44AA-9DBE-8EAFBF955AA0", "versionEndExcluding": "3.7.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "OpenRefine is a free, open source power tool for working with messy data and improving it. A jdbc attack vulnerability exists in OpenRefine(version<=3.7.7) where an attacker may construct a JDBC query which may read files on the host filesystem. Due to the newer MySQL driver library in the latest version of OpenRefine (8.0.30), there is no associated deserialization utilization point, so original code execution cannot be achieved, but attackers can use this vulnerability to read sensitive files on the target server. This issue has been addressed in version 3.7.8. Users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "OpenRefine es una poderosa herramienta gratuita y de c\u00f3digo abierto para trabajar con datos desordenados y mejorarlos. Existe una vulnerabilidad de ataque jdbc en OpenRefine (versi\u00f3n <= 3.7.7) donde un atacante puede construir una consulta JDBC que puede leer archivos en el sistema de archivos del host. Debido a la librer\u00eda de controladores MySQL m\u00e1s nueva en la \u00faltima versi\u00f3n de OpenRefine (8.0.30), no hay ning\u00fan punto de utilizaci\u00f3n de deserializaci\u00f3n asociado, por lo que no se puede lograr la ejecuci\u00f3n del c\u00f3digo original, pero los atacantes pueden usar esta vulnerabilidad para leer archivos confidenciales en el servidor de destino. Este problema se solucion\u00f3 en la versi\u00f3n 3.7.8. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "id": "CVE-2024-23833", "lastModified": "2024-11-21T08:58:31.330", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "[email protected]", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "[email protected]", "type": "Primary"}]}, "published": "2024-02-12T21:15:08.760", "references": [{"source": "[email protected]", "tags": ["Patch"], "url": "https://github.com/OpenRefine/OpenRefine/commit/41ccf574847d856e22488a7c0987ad8efa12a84a"}, {"source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-6p92-qfqf-qwx4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/OpenRefine/OpenRefine/commit/41ccf574847d856e22488a7c0987ad8efa12a84a"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-6p92-qfqf-qwx4"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "[email protected]", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-863"}], "source": "[email protected]", "type": "Primary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object