CVE-2024-47881

OpenRefine is a free, open source tool for working with messy data. Starting in version 3.4-beta and prior to version 3.8.3, in the database extension, the "enableloadextension" property can be set for the SQLite integration, enabling an attacker to load (local or remote) extension DLLs and so run arbitrary code on the server. The attacker needs to have network access to the OpenRefine instance. Version 3.8.3 fixes this issue.

References

Affected packages

Debian:12 / openrefine

Package

Name: openrefine
Purl: pkg:deb/debian/openrefine?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.6.2-2

3.6.2-2+deb12u1

3.6.2-2+deb12u2

3.6.2-3

3.7.4-1

3.7.5-1

3.7.6-1

3.7.7-1

3.7.8-1

3.8.7-1

3.9.3-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / openrefine

Package

Name: openrefine
Purl: pkg:deb/debian/openrefine?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.8.7-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:14 / openrefine

Package

Name: openrefine
Purl: pkg:deb/debian/openrefine?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.8.7-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/openrefine/openrefine

Affected ranges

Type: GIT
Repo: https://github.com/openrefine/openrefine
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

853a1d91662e7dc278a9a94a38be58de04494056

Affected versions

1.*

1.1

2.*

2.6-alpha.2

2.6-alpha1

2.6-beta.1

2.6-rc.2

2.7

2.7-rc.1

2.7-rc.2

2.8

3.*

3.0

3.0-beta

3.0-rc.1

3.1

3.1-beta

3.2

3.2-beta

3.3

3.3-beta

3.3-rc1

3.4-beta

3.5-beta1

3.7-beta2

3.8-beta1

v2.*

v2.6-rc1

Database specific

{
    "vanir_signatures": [
        {
            "signature_type": "Line",
            "digest": {
                "line_hashes": [
                    "148625465767518197586181414952410500498",
                    "52153195507166527708872059003828524818",
                    "152713181777933480338826892463390586417",
                    "310944242775402350916100846797656514843",
                    "309184951899885671436516249854359508306",
                    "275658479006330244317994889324185974308",
                    "298929508114247424629507713410874031826"
                ],
                "threshold": 0.9
            },
            "signature_version": "v1",
            "id": "CVE-2024-47881-11f3a22f",
            "source": "https://github.com/openrefine/openrefine/commit/853a1d91662e7dc278a9a94a38be58de04494056",
            "target": {
                "file": "extensions/database/src/com/google/refine/extension/database/sqlite/SQLiteConnectionManager.java"
            },
            "deprecated": false
        },
        {
            "signature_type": "Function",
            "digest": {
                "length": 532.0,
                "function_hash": "301210549726976124103022409242604209994"
            },
            "signature_version": "v1",
            "id": "CVE-2024-47881-432d49cf",
            "source": "https://github.com/openrefine/openrefine/commit/853a1d91662e7dc278a9a94a38be58de04494056",
            "target": {
                "function": "beforeTest",
                "file": "extensions/database/tests/src/com/google/refine/extension/database/sqlite/SQLiteDatabaseServiceTest.java"
            },
            "deprecated": false
        },
        {
            "signature_type": "Function",
            "digest": {
                "length": 236.0,
                "function_hash": "239170572422018864752882590789774958086"
            },
            "signature_version": "v1",
            "id": "CVE-2024-47881-69f506c7",
            "source": "https://github.com/openrefine/openrefine/commit/853a1d91662e7dc278a9a94a38be58de04494056",
            "target": {
                "function": "getDatabaseUrl",
                "file": "extensions/database/src/com/google/refine/extension/database/sqlite/SQLiteConnectionManager.java"
            },
            "deprecated": false
        },
        {
            "signature_type": "Line",
            "digest": {
                "line_hashes": [
                    "230901473777520033295366208173917713537",
                    "20817488066084770164423409522632717053",
                    "56737316068447243297744009003038981574",
                    "239913584612583691044809876158160499934",
                    "29631431573964522078349592339383184605",
                    "18927726664908601399464190075605089",
                    "107044435684639136940248779990762021885",
                    "329943744711187267045862377191657579433",
                    "42690964403184960163740306599042394508",
                    "36384622644031061044287865667370585104",
                    "9950470092311162326541082024401237256",
                    "36067413470298253544656446819412126089",
                    "24392167935165774719494233530621425394",
                    "310724215558881680851985929751588820248",
                    "76649531951624290342291761259293479483",
                    "27379248246233266557921644375677248788",
                    "188330552967862325881603458647865357981",
                    "26722760095812288923457469098579928607"
                ],
                "threshold": 0.9
            },
            "signature_version": "v1",
            "id": "CVE-2024-47881-8603b167",
            "source": "https://github.com/openrefine/openrefine/commit/853a1d91662e7dc278a9a94a38be58de04494056",
            "target": {
                "file": "extensions/database/tests/src/com/google/refine/extension/database/sqlite/SQLiteConnectionManagerTest.java"
            },
            "deprecated": false
        },
        {
            "signature_type": "Function",
            "digest": {
                "length": 157.0,
                "function_hash": "29594571857987632570998153976265310529"
            },
            "signature_version": "v1",
            "id": "CVE-2024-47881-ba8a6040",
            "source": "https://github.com/openrefine/openrefine/commit/853a1d91662e7dc278a9a94a38be58de04494056",
            "target": {
                "function": "afterTest",
                "file": "extensions/database/tests/src/com/google/refine/extension/database/sqlite/SQLiteDatabaseServiceTest.java"
            },
            "deprecated": false
        },
        {
            "signature_type": "Function",
            "digest": {
                "length": 236.0,
                "function_hash": "227575456298992408571957668699543165982"
            },
            "signature_version": "v1",
            "id": "CVE-2024-47881-bd645343",
            "source": "https://github.com/openrefine/openrefine/commit/853a1d91662e7dc278a9a94a38be58de04494056",
            "target": {
                "function": "testGetDatabaseUrl",
                "file": "extensions/database/tests/src/com/google/refine/extension/database/sqlite/SQLiteDatabaseServiceTest.java"
            },
            "deprecated": false
        },
        {
            "signature_type": "Line",
            "digest": {
                "line_hashes": [
                    "32401222131785096062200708245799233749",
                    "94566981518584604324749427617334028172",
                    "334749526140071474614362952418790782486",
                    "228404382564821384263936894365427548937"
                ],
                "threshold": 0.9
            },
            "signature_version": "v1",
            "id": "CVE-2024-47881-cf2109d3",
            "source": "https://github.com/openrefine/openrefine/commit/853a1d91662e7dc278a9a94a38be58de04494056",
            "target": {
                "file": "extensions/database/tests/src/com/google/refine/extension/database/DBExtensionTests.java"
            },
            "deprecated": false
        },
        {
            "signature_type": "Function",
            "digest": {
                "length": 157.0,
                "function_hash": "29594571857987632570998153976265310529"
            },
            "signature_version": "v1",
            "id": "CVE-2024-47881-f7da1371",
            "source": "https://github.com/openrefine/openrefine/commit/853a1d91662e7dc278a9a94a38be58de04494056",
            "target": {
                "function": "afterTest",
                "file": "extensions/database/tests/src/com/google/refine/extension/database/sqlite/SQLiteConnectionManagerTest.java"
            },
            "deprecated": false
        },
        {
            "signature_type": "Line",
            "digest": {
                "line_hashes": [
                    "230901473777520033295366208173917713537",
                    "336637532338474233663774344314858706682",
                    "296597646696193379051176017007147162891",
                    "164578035933169516281483451237568798232",
                    "188779297171662721321308442803415507230",
                    "29631431573964522078349592339383184605",
                    "18927726664908601399464190075605089",
                    "107044435684639136940248779990762021885",
                    "241409266627953408960379000538251755626",
                    "89315641394005495261903605506856082249",
                    "329317674755277027641524951277210134611",
                    "211506122883565985452498963313331757306",
                    "339962508101967712196333927212505153374",
                    "100311800875101586217206970300324147326",
                    "148270949013928750204587406239907426647",
                    "45205249259575761962701170534118929901",
                    "100250610033122885382937822884314188819",
                    "42690964403184960163740306599042394508",
                    "36384622644031061044287865667370585104",
                    "9950470092311162326541082024401237256",
                    "36067413470298253544656446819412126089",
                    "24392167935165774719494233530621425394",
                    "310724215558881680851985929751588820248",
                    "76649531951624290342291761259293479483",
                    "27379248246233266557921644375677248788",
                    "137167608026823615974484273626195466600",
                    "317579404134170811036087469517622928453",
                    "333693032492675148291990680870209795714",
                    "223376729324776375975140722554324318492",
                    "315179430583441677294897965586913870948",
                    "100109144700607158646162012169845009921",
                    "264813514899109287234427319969978025366",
                    "312267541733586384478108679928229975219",
                    "261517384245428314571869883271410241893"
                ],
                "threshold": 0.9
            },
            "signature_version": "v1",
            "id": "CVE-2024-47881-fa73b067",
            "source": "https://github.com/openrefine/openrefine/commit/853a1d91662e7dc278a9a94a38be58de04494056",
            "target": {
                "file": "extensions/database/tests/src/com/google/refine/extension/database/sqlite/SQLiteDatabaseServiceTest.java"
            },
            "deprecated": false
        }
    ]
}