CVE-2023-41886
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-41886
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-41886.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2023-41886
- Aliases
- Downstream
- Published
- 2023-09-15T20:05:20Z
- Modified
- 2025-10-30T20:22:44.717076Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- OpenRefine vulnerable to arbitrary file read in project import with mysql jdbc url attack
- Details
-
OpenRefine is a powerful free, open source tool for working with messy data. Prior to version 3.7.5, an arbitrary file read vulnerability allows any unauthenticated user to read a file on a server. Version 3.7.5 fixes this issue.
- Database specific
{ "cwe_ids": [ "CWE-89" ] }- References
Affected packages
Git / github.com/openrefine/openrefine
Affected ranges
- Type
- GIT
- Repo
- https://github.com/openrefine/openrefine
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
1.*
1.1
2.*
2.6-alpha.2
2.6-alpha1
2.6-beta.1
2.6-rc.2
2.7
2.7-rc.1
2.7-rc.2
2.8
3.*
3.0
3.0-beta
3.0-rc.1
3.1
3.1-beta
3.2
3.2-beta
3.3
3.3-beta
3.3-rc1
3.4-beta
3.5-beta1
3.7-beta2
v2.*
v2.6-rc1
Database specific
vanir_signatures
[
{
"signature_version": "v1",
"target": {
"function": "getConnection",
"file": "extensions/database/src/com/google/refine/extension/database/mariadb/MariaDBConnectionManager.java"
},
"deprecated": false,
"source": "https://github.com/openrefine/openrefine/commit/2de1439f5be63d9d0e89bbacbd24fa28c8c3e29d",
"digest": {
"function_hash": "112013358395284153371966215564124581510",
"length": 931.0
},
"id": "CVE-2023-41886-0a644659",
"signature_type": "Function"
},
{
"signature_version": "v1",
"target": {
"file": "extensions/database/src/com/google/refine/extension/database/sqlite/SQLiteConnectionManager.java"
},
"deprecated": false,
"source": "https://github.com/openrefine/openrefine/commit/2de1439f5be63d9d0e89bbacbd24fa28c8c3e29d",
"digest": {
"threshold": 0.9,
"line_hashes": [
"327175276617973140236574177639281372902",
"133401992607196297346054102790149442849",
"107966929631629464680997212269128087442",
"115126231447599679618367908713702056201",
"107299902640020052692365499410267929566",
"270127851368886019188868544405153422003",
"49864026166585960194532247500852524490"
]
},
"id": "CVE-2023-41886-1579884e",
"signature_type": "Line"
},
{
"signature_version": "v1",
"target": {
"file": "extensions/database/src/com/google/refine/extension/database/pgsql/PgSQLConnectionManager.java"
},
"deprecated": false,
"source": "https://github.com/openrefine/openrefine/commit/2de1439f5be63d9d0e89bbacbd24fa28c8c3e29d",
"digest": {
"threshold": 0.9,
"line_hashes": [
"51105809074562124868865597715872615067",
"176662979713726992854720158334792335592",
"304912067826687412005557055737383317470",
"204201973635903445520940849547246821035",
"242627320899175369581014955349415517909",
"72912773042994451738971112840290549233",
"317973846602094683004465163010862295351",
"16623836675517359104695111435518884941",
"1765836474915455923284713653214629070",
"321880713943457350286048360181421579566"
]
},
"id": "CVE-2023-41886-1ac9f05f",
"signature_type": "Line"
},
{
"signature_version": "v1",
"target": {
"file": "extensions/database/src/com/google/refine/extension/database/mariadb/MariaDBConnectionManager.java"
},
"deprecated": false,
"source": "https://github.com/openrefine/openrefine/commit/2de1439f5be63d9d0e89bbacbd24fa28c8c3e29d",
"digest": {
"threshold": 0.9,
"line_hashes": [
"51105809074562124868865597715872615067",
"176662979713726992854720158334792335592",
"304912067826687412005557055737383317470",
"207346423794384072692578311523052471007",
"65194962948448113154920370122671442619",
"242627320899175369581014955349415517909",
"72912773042994451738971112840290549233",
"317973846602094683004465163010862295351",
"16623836675517359104695111435518884941",
"1765836474915455923284713653214629070",
"321880713943457350286048360181421579566"
]
},
"id": "CVE-2023-41886-2c6d149b",
"signature_type": "Line"
},
{
"signature_version": "v1",
"target": {
"file": "extensions/database/src/com/google/refine/extension/database/mysql/MySQLConnectionManager.java"
},
"deprecated": false,
"source": "https://github.com/openrefine/openrefine/commit/2de1439f5be63d9d0e89bbacbd24fa28c8c3e29d",
"digest": {
"threshold": 0.9,
"line_hashes": [
"93499350387352243716344320377595364388",
"267136940035318533730105852909472639718",
"28535246610280580816079824868767641392",
"162516013320564762227329392284638372031",
"339825282732052753538233963653102392762",
"181659787796074723859127783665090684477",
"104158748872433304614834733600887157495",
"36691904264726742742548693439149172372",
"224134271848151467016820305230625111987",
"202253408300229988969493250320165698914"
]
},
"id": "CVE-2023-41886-657b77c8",
"signature_type": "Line"
},
{
"signature_version": "v1",
"target": {
"function": "getConnection",
"file": "extensions/database/src/com/google/refine/extension/database/pgsql/PgSQLConnectionManager.java"
},
"deprecated": false,
"source": "https://github.com/openrefine/openrefine/commit/2de1439f5be63d9d0e89bbacbd24fa28c8c3e29d",
"digest": {
"function_hash": "116830974008396641965816380333835860683",
"length": 898.0
},
"id": "CVE-2023-41886-83153774",
"signature_type": "Function"
},
{
"signature_version": "v1",
"target": {
"function": "getDatabaseUrl",
"file": "extensions/database/src/com/google/refine/extension/database/pgsql/PgSQLConnectionManager.java"
},
"deprecated": false,
"source": "https://github.com/openrefine/openrefine/commit/2de1439f5be63d9d0e89bbacbd24fa28c8c3e29d",
"digest": {
"function_hash": "186952275256751828015222685798655798773",
"length": 224.0
},
"id": "CVE-2023-41886-ba648e21",
"signature_type": "Function"
},
{
"signature_version": "v1",
"target": {
"function": "getDatabaseUrl",
"file": "extensions/database/src/com/google/refine/extension/database/mysql/MySQLConnectionManager.java"
},
"deprecated": false,
"source": "https://github.com/openrefine/openrefine/commit/2de1439f5be63d9d0e89bbacbd24fa28c8c3e29d",
"digest": {
"function_hash": "114902112724010012119100223268060240339",
"length": 245.0
},
"id": "CVE-2023-41886-c02a138c",
"signature_type": "Function"
},
{
"signature_version": "v1",
"target": {
"function": "getDatabaseUrl",
"file": "extensions/database/src/com/google/refine/extension/database/sqlite/SQLiteConnectionManager.java"
},
"deprecated": false,
"source": "https://github.com/openrefine/openrefine/commit/2de1439f5be63d9d0e89bbacbd24fa28c8c3e29d",
"digest": {
"function_hash": "143545153857631119613471487443513737974",
"length": 118.0
},
"id": "CVE-2023-41886-c5929cbd",
"signature_type": "Function"
},
{
"signature_version": "v1",
"target": {
"function": "getConnection",
"file": "extensions/database/src/com/google/refine/extension/database/mysql/MySQLConnectionManager.java"
},
"deprecated": false,
"source": "https://github.com/openrefine/openrefine/commit/2de1439f5be63d9d0e89bbacbd24fa28c8c3e29d",
"digest": {
"function_hash": "182346756318723732980500139483911676077",
"length": 931.0
},
"id": "CVE-2023-41886-d1b29ae3",
"signature_type": "Function"
},
{
"signature_version": "v1",
"target": {
"function": "getDatabaseUrl",
"file": "extensions/database/src/com/google/refine/extension/database/mariadb/MariaDBConnectionManager.java"
},
"deprecated": false,
"source": "https://github.com/openrefine/openrefine/commit/2de1439f5be63d9d0e89bbacbd24fa28c8c3e29d",
"digest": {
"function_hash": "186952275256751828015222685798655798773",
"length": 224.0
},
"id": "CVE-2023-41886-dff07a1f",
"signature_type": "Function"
},
{
"signature_version": "v1",
"target": {
"file": "extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java"
},
"deprecated": false,
"source": "https://github.com/openrefine/openrefine/commit/2de1439f5be63d9d0e89bbacbd24fa28c8c3e29d",
"digest": {
"threshold": 0.9,
"line_hashes": [
"157147032808925695163598661071258904799",
"44842798372803525762741894040819113427"
]
},
"id": "CVE-2023-41886-e49b13d4",
"signature_type": "Line"
}
]