CVE-2024-47879

Source
https://cve.org/CVERecord?id=CVE-2024-47879
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-47879.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-47879
Aliases
Downstream
Published
2024-10-24T20:17:55.106Z
Modified
2026-06-18T19:53:38.116773Z
Severity
  • 7.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L CVSS Calculator
Summary
OpenRefine's PreviewExpressionCommand, which is eval, lacks protection against cross-site request forgery (CSRF)
Details

OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, lack of cross-site request forgery protection on the preview-expression command means that visiting a malicious website could cause an attacker-controlled expression to be executed. The expression can contain arbitrary Clojure or Python code. The attacker must know a valid project ID of a project that contains at least one row, and the attacker must convince the victim to open a malicious webpage. Version 3.8.3 fixes the issue.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-352",
        "CWE-94"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/47xxx/CVE-2024-47879.json"
}
References

Affected packages

Git / github.com/openrefine/openrefine

Affected ranges

Type
GIT
Repo
https://github.com/openrefine/openrefine
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.8.3"
        }
    ],
    "cpe": "cpe:2.3:a:openrefine:openrefine:*:*:*:*:*:*:*:*",
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ]
}

Affected versions

2.*
2.6-beta.1
2.6-rc.2
2.7
2.7-rc.1
2.7-rc.2
2.8
3.*
3.0
3.0-beta
3.0-rc.1
3.1
3.1-beta
3.2
3.2-beta
3.3
3.3-beta
3.3-rc1
3.4-beta
3.5-beta1
3.7-beta2
3.8-beta.3
3.8-beta.4
3.8-beta1
3.8-beta2
3.8-beta5
3.8.0
3.8.1
3.8.2
v2.*
v2.6-rc1

Database specific

vanir_signatures_modified
"2026-06-18T19:53:38Z"
vanir_signatures
[
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "90238467797394156770226699564768336154",
                "329654444185774587204392271506491321233",
                "271367906427715587899207566841849471410",
                "326012784001071604213794990812765412829",
                "224065647363121038240135392489443254231",
                "221148913813690021289473791641934906575"
            ]
        },
        "source": "https://github.com/openrefine/openrefine/commit/090924ca923489b6c94397cf1f5df7f7f78f0126",
        "target": {
            "file": "main/src/com/google/refine/commands/browsing/ComputeClustersCommand.java"
        },
        "id": "CVE-2024-47879-2b18bbd7",
        "deprecated": false,
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "digest": {
            "function_hash": "98973911282979267645651693359544553633",
            "length": 685.0
        },
        "source": "https://github.com/openrefine/openrefine/commit/090924ca923489b6c94397cf1f5df7f7f78f0126",
        "target": {
            "file": "main/tests/server/src/com/google/refine/commands/expr/PreviewExpressionCommandTests.java",
            "function": "testParseError"
        },
        "id": "CVE-2024-47879-2dc3b423",
        "deprecated": false,
        "signature_type": "Function",
        "signature_version": "v1"
    },
    {
        "digest": {
            "function_hash": "338404179946803477919014570684088083113",
            "length": 2408.0
        },
        "source": "https://github.com/openrefine/openrefine/commit/090924ca923489b6c94397cf1f5df7f7f78f0126",
        "target": {
            "file": "main/src/com/google/refine/commands/expr/PreviewExpressionCommand.java",
            "function": "doPost"
        },
        "id": "CVE-2024-47879-3022a6d4",
        "deprecated": false,
        "signature_type": "Function",
        "signature_version": "v1"
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "107894179663417932558472522502160101544",
                "268034023411598682370286891669980458296",
                "197557976604528649952228912173753377821",
                "326012784001071604213794990812765412829",
                "97159627876681906769082240146436164394",
                "315572465411026168253020901289591155152",
                "54585287069601189645622696336271915854"
            ]
        },
        "source": "https://github.com/openrefine/openrefine/commit/090924ca923489b6c94397cf1f5df7f7f78f0126",
        "target": {
            "file": "main/src/com/google/refine/commands/expr/PreviewExpressionCommand.java"
        },
        "id": "CVE-2024-47879-3a484628",
        "deprecated": false,
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "70741200116215552636185552063441350157",
                "250578989153400506380281591621571840554",
                "234825196224379482873151685641821868458",
                "163240278076324717749431253028938753191"
            ]
        },
        "source": "https://github.com/openrefine/openrefine/commit/d70d9114a8c021a233f0c13c73a0a7784276f2a4",
        "target": {
            "file": "main/src/com/google/refine/RefineServlet.java"
        },
        "id": "CVE-2024-47879-463f1041",
        "deprecated": false,
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "digest": {
            "function_hash": "123793101368322420937613065081451187153",
            "length": 420.0
        },
        "source": "https://github.com/openrefine/openrefine/commit/090924ca923489b6c94397cf1f5df7f7f78f0126",
        "target": {
            "file": "main/tests/server/src/com/google/refine/commands/expr/PreviewExpressionCommandTests.java",
            "function": "setUpRequestResponse"
        },
        "id": "CVE-2024-47879-48d05c43",
        "deprecated": false,
        "signature_type": "Function",
        "signature_version": "v1"
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "47936983011698091612850174718361419933",
                "289267479621546077210356557982085158118",
                "194075300552596032048067650977042840882",
                "326012784001071604213794990812765412829",
                "97159627876681906769082240146436164394",
                "189385734722154227175377396442507792453"
            ]
        },
        "source": "https://github.com/openrefine/openrefine/commit/090924ca923489b6c94397cf1f5df7f7f78f0126",
        "target": {
            "file": "main/src/com/google/refine/commands/browsing/ComputeFacetsCommand.java"
        },
        "id": "CVE-2024-47879-95734955",
        "deprecated": false,
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "digest": {
            "function_hash": "289467312829840822136384664478917599004",
            "length": 255.0
        },
        "source": "https://github.com/openrefine/openrefine/commit/090924ca923489b6c94397cf1f5df7f7f78f0126",
        "target": {
            "file": "main/tests/server/src/com/google/refine/commands/browsing/ScatterplotDrawCommandTests.java",
            "function": "setUp"
        },
        "id": "CVE-2024-47879-ad42408f",
        "deprecated": false,
        "signature_type": "Function",
        "signature_version": "v1"
    },
    {
        "digest": {
            "function_hash": "28559078656288787280744977887296601685",
            "length": 597.0
        },
        "source": "https://github.com/openrefine/openrefine/commit/090924ca923489b6c94397cf1f5df7f7f78f0126",
        "target": {
            "file": "main/tests/server/src/com/google/refine/commands/expr/PreviewExpressionCommandTests.java",
            "function": "testJsonResponse"
        },
        "id": "CVE-2024-47879-ae2fad21",
        "deprecated": false,
        "signature_type": "Function",
        "signature_version": "v1"
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "111150262936131642872564468396596513594",
                "4185063059649735099975722528817572084",
                "190211915508506071651727606216755137589",
                "44918141649463834431562524419607509229",
                "302730481776002817115063512259535011291",
                "205151688888828080285699308437697579578",
                "133020256219264087772125682864682700889",
                "18825485601491812604969079611849008470",
                "319502007507338138349495680418838959222",
                "207351266084361652563751834007477755955",
                "279595804811420955051249438865678073009",
                "7154893654460597218393778826246513475",
                "3379775283399146572955965013072694963",
                "78375250567435736942462123750702049234",
                "331772952335270016540461096137494742430",
                "289173756467273220564739684137194797478",
                "272263767382967981440875240888197971563",
                "209660339436278314886800731223026188523",
                "23530099277949663253942521211223350415",
                "7523712958309075825891541493509869932",
                "334079948170230465291935027790815510439",
                "286535149175929501077618612409005122096",
                "291510664024983998619659399276560248257",
                "152129255230369790819253999679530108622",
                "320922913349643215240984629248416601180",
                "240733913450171629175287731628428358962",
                "213784540863563425968063478801057689907",
                "98217727759421353340906290920972617683",
                "99360967716883584026942236377068729079",
                "72870160798414672612315963347737203565",
                "25691476360927061154266093058935972052",
                "286462195789943288905060104768605804497",
                "36005949047599674320568534433279189062",
                "271700759223541822201526412349724706770",
                "174085676337137139972261623934780964075",
                "220547054286328410858830815478261665022",
                "33973345430264736007675736340869224367",
                "225677252879486751133986717676096994099",
                "281401378499245375727718114001977874872",
                "134174178410062423848728043293985786769",
                "264289313959893007229387752898253039247",
                "60862094271299069149195675633890295287"
            ]
        },
        "source": "https://github.com/openrefine/openrefine/commit/090924ca923489b6c94397cf1f5df7f7f78f0126",
        "target": {
            "file": "main/tests/server/src/com/google/refine/commands/expr/PreviewExpressionCommandTests.java"
        },
        "id": "CVE-2024-47879-b60feea0",
        "deprecated": false,
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "digest": {
            "function_hash": "123479655569778450004949332465308857619",
            "length": 2108.0
        },
        "source": "https://github.com/openrefine/openrefine/commit/090924ca923489b6c94397cf1f5df7f7f78f0126",
        "target": {
            "file": "main/src/com/google/refine/commands/project/ExportRowsCommand.java",
            "function": "doPost"
        },
        "id": "CVE-2024-47879-be09473c",
        "deprecated": false,
        "signature_type": "Function",
        "signature_version": "v1"
    },
    {
        "digest": {
            "function_hash": "24078221135479512319560063690538901967",
            "length": 1114.0
        },
        "source": "https://github.com/openrefine/openrefine/commit/090924ca923489b6c94397cf1f5df7f7f78f0126",
        "target": {
            "file": "main/src/com/google/refine/commands/browsing/ComputeClustersCommand.java",
            "function": "doPost"
        },
        "id": "CVE-2024-47879-c00c016a",
        "deprecated": false,
        "signature_type": "Function",
        "signature_version": "v1"
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "37211505993755605631605112641250339720",
                "4185063059649735099975722528817572084",
                "258558646478068272713406282298395568239",
                "321485433597980313505943547657079459448",
                "117365903372623619437965106426977866040",
                "160580575020790835008087550657093119418",
                "233038672633998067005076539848758557602",
                "219345823298969224938099580945138775246",
                "88985219921529979998223923690114913085",
                "208405553737107883026086631627875949883",
                "178349615604985602910314657732875699624",
                "164080029723504859062367872597439441266",
                "89208584155960397840235854203563682453",
                "60359342637170232775422312408442055400",
                "126750568715860072872900360124901533651",
                "45020293892696732381616087719023014529",
                "257114649163945390289106316310171005864",
                "22446341383173321665959526901694459439",
                "330907012681851712823631710398776031596",
                "72648607368789953188429004023980621195",
                "125288520795816333090087704300349479136",
                "136712279857033919041600378162135364379",
                "107882089590621993899929198438152251475",
                "93224530366320232956456984892100189461",
                "251189583449292741296479651438355736166",
                "138375167666759507220527334767654896431",
                "89646723514114878798760856045750064826",
                "293854133692055581236810417575245883414"
            ]
        },
        "source": "https://github.com/openrefine/openrefine/commit/090924ca923489b6c94397cf1f5df7f7f78f0126",
        "target": {
            "file": "main/tests/server/src/com/google/refine/commands/browsing/ScatterplotDrawCommandTests.java"
        },
        "id": "CVE-2024-47879-c77397d6",
        "deprecated": false,
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "171982620767165262238152451717600254790",
                "154217301624950807268520504643957860339",
                "123461186487145627733739741206040755460",
                "221148913813690021289473791641934906575"
            ]
        },
        "source": "https://github.com/openrefine/openrefine/commit/090924ca923489b6c94397cf1f5df7f7f78f0126",
        "target": {
            "file": "main/src/com/google/refine/commands/browsing/GetScatterplotCommand.java"
        },
        "id": "CVE-2024-47879-d5734698",
        "deprecated": false,
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "197557976604528649952228912173753377821",
                "272957976043581776541664644087295378971",
                "117703392558309088139012316150580927718",
                "70440800002747637172536703284002516027"
            ]
        },
        "source": "https://github.com/openrefine/openrefine/commit/090924ca923489b6c94397cf1f5df7f7f78f0126",
        "target": {
            "file": "main/src/com/google/refine/commands/project/ExportRowsCommand.java"
        },
        "id": "CVE-2024-47879-f0d24a41",
        "deprecated": false,
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "digest": {
            "function_hash": "98882052463711897704037843275352905616",
            "length": 265.0
        },
        "source": "https://github.com/openrefine/openrefine/commit/090924ca923489b6c94397cf1f5df7f7f78f0126",
        "target": {
            "file": "main/src/com/google/refine/commands/browsing/ComputeFacetsCommand.java",
            "function": "doPost"
        },
        "id": "CVE-2024-47879-f1317810",
        "deprecated": false,
        "signature_type": "Function",
        "signature_version": "v1"
    },
    {
        "digest": {
            "function_hash": "158503616512422239076833189774584458579",
            "length": 655.0
        },
        "source": "https://github.com/openrefine/openrefine/commit/090924ca923489b6c94397cf1f5df7f7f78f0126",
        "target": {
            "file": "main/src/com/google/refine/commands/browsing/GetScatterplotCommand.java",
            "function": "doGet"
        },
        "id": "CVE-2024-47879-fd54a9dc",
        "deprecated": false,
        "signature_type": "Function",
        "signature_version": "v1"
    }
]
source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-47879.json"