Description
OpenRefine is a free, open source tool for working with messy data. Starting in version 3.4-beta and prior to version 3.8.3, in the `database` extension, the "enable_load_extension" property can be set for the SQLite integration, enabling an attacker to load (local or remote) extension DLLs and so run arbitrary code on the server. The attacker needs to have network access to the OpenRefine instance. Version 3.8.3 fixes this issue.
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-87cf-j763-vvh8
Scores
CVSS v3
8.1
EPSS
0.0029
EPSS Percentile
52.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-89
Status
published
Products (2)
openrefine/openrefine
3.4 - 3.8.3
org.openrefine/database
3.4-beta - 3.8.3Maven
Published
Oct 24, 2024
Tracked Since
Feb 18, 2026