CVE-2023-41887: Remote Code exec in project import with mysql jdbc url attack
First published: Tue Sep 12 2023(Updated: )
### Summary An remote Code exec vulnerability allows any unauthenticated user to exec code on the server. ### Details Hi,Team, i find openrefine support to import data from database,When use mysql jdbc to connect to database,It is vulnerable to jdbc url attacks,for example,unauthenticated attacker can get rce on the server through the mysql userializable If the mysql-connector-java version used on the server side is less than 8.20. In order for the server to enable deserialization we need to set the `autoDeserialize` and `queryInterceptors` parameters in the connection string,As same with https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-qqh2-wvmv-h72m, since the concatenation string is a direct concatenation, it is possible to inject the required parameters after the other parameters.  And there is a commons-beanutils dependency library on the server side, which contains an RCE-capable deserialization exploit chain ### PoC env: centos 7 openrefine 3.7.4 jdk11 mysql-connector-java version 8.14.0 you can use the tool https://github.com/4ra1n/mysql-fake-server to running a malicious mysql server. for example use the CB 1.9 Gadget to exec command `touch /tmp/hacked`.  set the `user` to `base64ZGVzZXJfQ0JfdG91Y2ggL3RtcC9oYWNrZWQ=`(`touch /tmp/hacked` base64 encode),`dataBaseName` to `test?autoDeserialize=true&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor#`.   command `touch /tmp/hacked` is executed.  ### Impact An remote Code exec vulnerability allows any unauthenticated user to exec code on the server.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.openrefine:database | <=3.7.4 | 3.7.5 |
| Openrefine Openrefine | <3.7.5 | |
| debian/openrefine | 3.6.2-2+deb12u2 3.8.7-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-p3r5-x3hr-gpg5
- https://github.com/OpenRefine/OpenRefine/commit/693fde606d4b5b78b16391c29d110389eb605511
- https://nvd.nist.gov/vuln/detail/CVE-2023-41887
- https://github.com/advisories/GHSA-p3r5-x3hr-gpg5 (Advisory)
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41887
- https://launchpad.net/bugs/cve/CVE-2023-41887
- https://security-tracker.debian.org/tracker/CVE-2023-41887
- https://ubuntu.com/security/CVE-2023-41887
Frequently Asked Questions
What is the vulnerability ID for this OpenRefine vulnerability?
The vulnerability ID for this OpenRefine vulnerability is CVE-2023-41887.
What is the severity of CVE-2023-41887?
The severity of CVE-2023-41887 is critical with a CVSS score of 9.8.
How does this vulnerability affect OpenRefine?
This vulnerability in OpenRefine allows any unauthenticated user to execute arbitrary code on the server.
What is the affected software version?
The affected software version is OpenRefine up to and including version 3.7.4.
How can I fix CVE-2023-41887?
To fix CVE-2023-41887, upgrade OpenRefine to version 3.7.5 or higher.
- collector/github-advisory-latest
- alias/GHSA-p3r5-x3hr-gpg5
- alias/CVE-2023-41887
- collector/github-advisory
- collector/nvd-api
- collector/nvd-index
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- agent/weakness
- agent/severity
- agent/remedy
- agent/title
- collector/mitre-cve
- source/MITRE
- agent/trending
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/author
- agent/description
- collector/launchpad-cve
- source/Launchpad
- agent/event
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/source
- agent/tags
- collector/security-tracker-debian
- source/Debian
- package-manager/maven
- vendor/openrefine
- canonical/openrefine openrefine
- package-manager/debian