CVE-2024-47881

NameCVE-2024-47881
DescriptionOpenRefine is a free, open source tool for working with messy data. Starting in version 3.4-beta and prior to version 3.8.3, in the `database` extension, the "enable_load_extension" property can be set for the SQLite integration, enabling an attacker to load (local or remote) extension DLLs and so run arbitrary code on the server. The attacker needs to have network access to the OpenRefine instance. Version 3.8.3 fixes this issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1086041

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openrefine (PTS)bookworm3.6.2-2+deb12u2vulnerable
sid, trixie3.8.7-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
openrefinesource(unstable)3.8.7-11086041

Notes

[bookworm] - openrefine <no-dsa> (Minor issue)
https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-87cf-j763-vvh8
https://github.com/OpenRefine/OpenRefine/commit/853a1d91662e7dc278a9a94a38be58de04494056
https://github.com/OpenRefine/OpenRefine/commit/8a5cced755f9d4544cfc9fd1b9dc9274807b5020 (3.8.3)
Search for package or bug name: Reporting problems