OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, lack of cross-site request forgery protection on the preview-expression command means that visiting a malicious website could cause an attacker-controlled expression to be executed. The expression can contain arbitrary Clojure or Python code. The attacker must know a valid project ID of a project that contains at least one row, and the attacker must convince the victim to open a malicious webpage. Version 3.8.3 fixes the issue.
{
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-352",
"CWE-94"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/47xxx/CVE-2024-47879.json"
}{
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "3.8.3"
}
],
"cpe": "cpe:2.3:a:openrefine:openrefine:*:*:*:*:*:*:*:*",
"source": [
"CPE_RANGE",
"REFERENCES"
]
}"2026-06-18T19:53:38Z"
[
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"90238467797394156770226699564768336154",
"329654444185774587204392271506491321233",
"271367906427715587899207566841849471410",
"326012784001071604213794990812765412829",
"224065647363121038240135392489443254231",
"221148913813690021289473791641934906575"
]
},
"source": "https://github.com/openrefine/openrefine/commit/090924ca923489b6c94397cf1f5df7f7f78f0126",
"target": {
"file": "main/src/com/google/refine/commands/browsing/ComputeClustersCommand.java"
},
"id": "CVE-2024-47879-2b18bbd7",
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1"
},
{
"digest": {
"function_hash": "98973911282979267645651693359544553633",
"length": 685.0
},
"source": "https://github.com/openrefine/openrefine/commit/090924ca923489b6c94397cf1f5df7f7f78f0126",
"target": {
"file": "main/tests/server/src/com/google/refine/commands/expr/PreviewExpressionCommandTests.java",
"function": "testParseError"
},
"id": "CVE-2024-47879-2dc3b423",
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1"
},
{
"digest": {
"function_hash": "338404179946803477919014570684088083113",
"length": 2408.0
},
"source": "https://github.com/openrefine/openrefine/commit/090924ca923489b6c94397cf1f5df7f7f78f0126",
"target": {
"file": "main/src/com/google/refine/commands/expr/PreviewExpressionCommand.java",
"function": "doPost"
},
"id": "CVE-2024-47879-3022a6d4",
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"107894179663417932558472522502160101544",
"268034023411598682370286891669980458296",
"197557976604528649952228912173753377821",
"326012784001071604213794990812765412829",
"97159627876681906769082240146436164394",
"315572465411026168253020901289591155152",
"54585287069601189645622696336271915854"
]
},
"source": "https://github.com/openrefine/openrefine/commit/090924ca923489b6c94397cf1f5df7f7f78f0126",
"target": {
"file": "main/src/com/google/refine/commands/expr/PreviewExpressionCommand.java"
},
"id": "CVE-2024-47879-3a484628",
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"70741200116215552636185552063441350157",
"250578989153400506380281591621571840554",
"234825196224379482873151685641821868458",
"163240278076324717749431253028938753191"
]
},
"source": "https://github.com/openrefine/openrefine/commit/d70d9114a8c021a233f0c13c73a0a7784276f2a4",
"target": {
"file": "main/src/com/google/refine/RefineServlet.java"
},
"id": "CVE-2024-47879-463f1041",
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1"
},
{
"digest": {
"function_hash": "123793101368322420937613065081451187153",
"length": 420.0
},
"source": "https://github.com/openrefine/openrefine/commit/090924ca923489b6c94397cf1f5df7f7f78f0126",
"target": {
"file": "main/tests/server/src/com/google/refine/commands/expr/PreviewExpressionCommandTests.java",
"function": "setUpRequestResponse"
},
"id": "CVE-2024-47879-48d05c43",
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"47936983011698091612850174718361419933",
"289267479621546077210356557982085158118",
"194075300552596032048067650977042840882",
"326012784001071604213794990812765412829",
"97159627876681906769082240146436164394",
"189385734722154227175377396442507792453"
]
},
"source": "https://github.com/openrefine/openrefine/commit/090924ca923489b6c94397cf1f5df7f7f78f0126",
"target": {
"file": "main/src/com/google/refine/commands/browsing/ComputeFacetsCommand.java"
},
"id": "CVE-2024-47879-95734955",
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1"
},
{
"digest": {
"function_hash": "289467312829840822136384664478917599004",
"length": 255.0
},
"source": "https://github.com/openrefine/openrefine/commit/090924ca923489b6c94397cf1f5df7f7f78f0126",
"target": {
"file": "main/tests/server/src/com/google/refine/commands/browsing/ScatterplotDrawCommandTests.java",
"function": "setUp"
},
"id": "CVE-2024-47879-ad42408f",
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1"
},
{
"digest": {
"function_hash": "28559078656288787280744977887296601685",
"length": 597.0
},
"source": "https://github.com/openrefine/openrefine/commit/090924ca923489b6c94397cf1f5df7f7f78f0126",
"target": {
"file": "main/tests/server/src/com/google/refine/commands/expr/PreviewExpressionCommandTests.java",
"function": "testJsonResponse"
},
"id": "CVE-2024-47879-ae2fad21",
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"111150262936131642872564468396596513594",
"4185063059649735099975722528817572084",
"190211915508506071651727606216755137589",
"44918141649463834431562524419607509229",
"302730481776002817115063512259535011291",
"205151688888828080285699308437697579578",
"133020256219264087772125682864682700889",
"18825485601491812604969079611849008470",
"319502007507338138349495680418838959222",
"207351266084361652563751834007477755955",
"279595804811420955051249438865678073009",
"7154893654460597218393778826246513475",
"3379775283399146572955965013072694963",
"78375250567435736942462123750702049234",
"331772952335270016540461096137494742430",
"289173756467273220564739684137194797478",
"272263767382967981440875240888197971563",
"209660339436278314886800731223026188523",
"23530099277949663253942521211223350415",
"7523712958309075825891541493509869932",
"334079948170230465291935027790815510439",
"286535149175929501077618612409005122096",
"291510664024983998619659399276560248257",
"152129255230369790819253999679530108622",
"320922913349643215240984629248416601180",
"240733913450171629175287731628428358962",
"213784540863563425968063478801057689907",
"98217727759421353340906290920972617683",
"99360967716883584026942236377068729079",
"72870160798414672612315963347737203565",
"25691476360927061154266093058935972052",
"286462195789943288905060104768605804497",
"36005949047599674320568534433279189062",
"271700759223541822201526412349724706770",
"174085676337137139972261623934780964075",
"220547054286328410858830815478261665022",
"33973345430264736007675736340869224367",
"225677252879486751133986717676096994099",
"281401378499245375727718114001977874872",
"134174178410062423848728043293985786769",
"264289313959893007229387752898253039247",
"60862094271299069149195675633890295287"
]
},
"source": "https://github.com/openrefine/openrefine/commit/090924ca923489b6c94397cf1f5df7f7f78f0126",
"target": {
"file": "main/tests/server/src/com/google/refine/commands/expr/PreviewExpressionCommandTests.java"
},
"id": "CVE-2024-47879-b60feea0",
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1"
},
{
"digest": {
"function_hash": "123479655569778450004949332465308857619",
"length": 2108.0
},
"source": "https://github.com/openrefine/openrefine/commit/090924ca923489b6c94397cf1f5df7f7f78f0126",
"target": {
"file": "main/src/com/google/refine/commands/project/ExportRowsCommand.java",
"function": "doPost"
},
"id": "CVE-2024-47879-be09473c",
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1"
},
{
"digest": {
"function_hash": "24078221135479512319560063690538901967",
"length": 1114.0
},
"source": "https://github.com/openrefine/openrefine/commit/090924ca923489b6c94397cf1f5df7f7f78f0126",
"target": {
"file": "main/src/com/google/refine/commands/browsing/ComputeClustersCommand.java",
"function": "doPost"
},
"id": "CVE-2024-47879-c00c016a",
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"37211505993755605631605112641250339720",
"4185063059649735099975722528817572084",
"258558646478068272713406282298395568239",
"321485433597980313505943547657079459448",
"117365903372623619437965106426977866040",
"160580575020790835008087550657093119418",
"233038672633998067005076539848758557602",
"219345823298969224938099580945138775246",
"88985219921529979998223923690114913085",
"208405553737107883026086631627875949883",
"178349615604985602910314657732875699624",
"164080029723504859062367872597439441266",
"89208584155960397840235854203563682453",
"60359342637170232775422312408442055400",
"126750568715860072872900360124901533651",
"45020293892696732381616087719023014529",
"257114649163945390289106316310171005864",
"22446341383173321665959526901694459439",
"330907012681851712823631710398776031596",
"72648607368789953188429004023980621195",
"125288520795816333090087704300349479136",
"136712279857033919041600378162135364379",
"107882089590621993899929198438152251475",
"93224530366320232956456984892100189461",
"251189583449292741296479651438355736166",
"138375167666759507220527334767654896431",
"89646723514114878798760856045750064826",
"293854133692055581236810417575245883414"
]
},
"source": "https://github.com/openrefine/openrefine/commit/090924ca923489b6c94397cf1f5df7f7f78f0126",
"target": {
"file": "main/tests/server/src/com/google/refine/commands/browsing/ScatterplotDrawCommandTests.java"
},
"id": "CVE-2024-47879-c77397d6",
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"171982620767165262238152451717600254790",
"154217301624950807268520504643957860339",
"123461186487145627733739741206040755460",
"221148913813690021289473791641934906575"
]
},
"source": "https://github.com/openrefine/openrefine/commit/090924ca923489b6c94397cf1f5df7f7f78f0126",
"target": {
"file": "main/src/com/google/refine/commands/browsing/GetScatterplotCommand.java"
},
"id": "CVE-2024-47879-d5734698",
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"197557976604528649952228912173753377821",
"272957976043581776541664644087295378971",
"117703392558309088139012316150580927718",
"70440800002747637172536703284002516027"
]
},
"source": "https://github.com/openrefine/openrefine/commit/090924ca923489b6c94397cf1f5df7f7f78f0126",
"target": {
"file": "main/src/com/google/refine/commands/project/ExportRowsCommand.java"
},
"id": "CVE-2024-47879-f0d24a41",
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1"
},
{
"digest": {
"function_hash": "98882052463711897704037843275352905616",
"length": 265.0
},
"source": "https://github.com/openrefine/openrefine/commit/090924ca923489b6c94397cf1f5df7f7f78f0126",
"target": {
"file": "main/src/com/google/refine/commands/browsing/ComputeFacetsCommand.java",
"function": "doPost"
},
"id": "CVE-2024-47879-f1317810",
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1"
},
{
"digest": {
"function_hash": "158503616512422239076833189774584458579",
"length": 655.0
},
"source": "https://github.com/openrefine/openrefine/commit/090924ca923489b6c94397cf1f5df7f7f78f0126",
"target": {
"file": "main/src/com/google/refine/commands/browsing/GetScatterplotCommand.java",
"function": "doGet"
},
"id": "CVE-2024-47879-fd54a9dc",
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1"
}
]
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-47879.json"