GHSA-6p92-qfqf-qwx4

Suggest an improvement
Source
https://github.com/advisories/GHSA-6p92-qfqf-qwx4
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-6p92-qfqf-qwx4/GHSA-6p92-qfqf-qwx4.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-6p92-qfqf-qwx4
Aliases
Published
2024-02-12T15:08:48Z
Modified
2024-10-16T22:22:01.387026Z
Severity
  • 7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
Summary
OpenRefine JDBC Attack Vulnerability
Details

Summary

A jdbc attack vulnerability exists in OpenRefine(version<=3.7.7)

Details

Vulnerability Recurrence

Start by constructing a malicious MySQL Server (using the open source project MySQLFakeServer here). image Then go to the Jdbc connection trigger vulnerability image

Vulnerability Analysis

This vulnerability is the bypass of CVE-2023-41887 vulnerability repair, the main vulnerability principle is actually the use of official syntax features, as shown in the following figure, when the connection we can perform parameter configuration in the Host part image In com.google.refine.extension.database.mysql.MySQLConnectionManager#getConnection method in the final JdbcUrl structure image That is, in the toURI method call here, you can see that the Host part is directly concatenated for any verification, which can be bypassed using the address feature of mysql image That is, in the toURI method call here, you can see that the Host part is directly concatenated for any verification, which can be bypassed using the address feature of mysql image

PoC

Complete instructions, including specific configuration details, to reproduce the vulnerability.

Type: MySQL
Host: 127.0.0.1:3306,(host=127.0.0.1,port=3306,autoDeserialize=true,allowLoadLocalInfile=true,allowUrlInLocalInfile=true,allowLoadLocalInfileInPath=true),127.0.0.1
Port: 3306
User: win_hosts
Database: test

Impact

Due to the newer MySQL driver library in the latest version of OpenRefine (8.0.30), there is no associated deserialization utilization point, so original code execution cannot be achieved, but attackers can use this vulnerability to read sensitive files on the target server.

Database specific
{
    "nvd_published_at": "2024-02-12T21:15:08Z",
    "cwe_ids": [
        "CWE-22",
        "CWE-863"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-12T15:08:48Z"
}
References

Affected packages

Maven / org.openrefine:database

Package

Name
org.openrefine:database
View open source insights on deps.dev
Purl
pkg:maven/org.openrefine/database

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.7.8

Affected versions

3.*

3.6-beta1
3.6-beta2
3.6-rc1
3.6.0
3.6.1
3.6.2
3.7-beta1
3.7-beta2
3.7.0
3.7.2

Database specific

{
    "last_known_affected_version_range": "<= 3.7.7"
}