CVE-2024-47881

HIGH

OpenRefine 3.4-beta-3.8.2 - Remote Code Execution via SQLite Extension Loading

Title source: llm

Description

OpenRefine is a free, open source tool for working with messy data. Starting in version 3.4-beta and prior to version 3.8.3, in the `database` extension, the "enable_load_extension" property can be set for the SQLite integration, enabling an attacker to load (local or remote) extension DLLs and so run arbitrary code on the server. The attacker needs to have network access to the OpenRefine instance. Version 3.8.3 fixes this issue.

References (2)

Core 2

Core References

Exploit, Third Party Advisory x_refsource_confirm

https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-87cf-j763-vvh8

Patch x_refsource_misc

https://github.com/OpenRefine/OpenRefine/commit/853a1d91662e7dc278a9a94a38be58de04494056

View Patch ZIP pw:eip

Scores

CVSS v3 8.1

EPSS 0.0066

EPSS Percentile 46.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-89

Status published

Products (2)

openrefine/openrefine 3.4 - 3.8.3

org.openrefine/database 3.4-beta - 3.8.3Maven

Published Oct 24, 2024

Tracked Since Feb 18, 2026