CVE-2024-47881

NameCVE-2024-47881
DescriptionOpenRefine is a free, open source tool for working with messy data. Starting in version 3.4-beta and prior to version 3.8.3, in the `database` extension, the "enable_load_extension" property can be set for the SQLite integration, enabling an attacker to load (local or remote) extension DLLs and so run arbitrary code on the server. The attacker needs to have network access to the OpenRefine instance. Version 3.8.3 fixes this issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1086041

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openrefine (PTS)bookworm3.6.2-2+deb12u2vulnerable
sid, trixie3.7.8-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
openrefinesource(unstable)(unfixed)1086041

Notes

https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-87cf-j763-vvh8
https://github.com/OpenRefine/OpenRefine/commit/853a1d91662e7dc278a9a94a38be58de04494056
https://github.com/OpenRefine/OpenRefine/commit/8a5cced755f9d4544cfc9fd1b9dc9274807b5020 (3.8.3)
Search for package or bug name: Reporting problems