CVE-2024-47881 HIGH

CVE-2024-47881: OpenRefine's SQLite integration allows filesystem access, remote code execution (RCE)

Vendor Openrefine
Product OpenRefine
Weakness CWE-89 · SQLi
Published October 24, 2024
Last update October 25, 2024

CVSS base score

8.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

OpenRefine is a free, open source tool for working with messy data. Starting in version 3.4-beta and prior to version 3.8.3, in the `database` extension, the "enable_load_extension" property can be set for the SQLite integration, enabling an attacker to load (local or remote) extension DLLs and so run arbitrary code on the server. The attacker needs to have network access to the OpenRefine instance. Version 3.8.3 fixes this issue.

Key dates

02Disclosure timeline

October 24, 2024 CVE published
October 25, 2024 Record updated