What is the severity of CVE-2024-23833?

CVE-2024-23833 has been assigned a moderate severity level due to its potential impact on user data and system integrity.

How do I fix CVE-2024-23833?

To fix CVE-2024-23833, upgrade OpenRefine to version 3.7.8 or later.

What versions of OpenRefine are affected by CVE-2024-23833?

OpenRefine versions 3.7.7 and earlier are affected by CVE-2024-23833.

What type of attack does CVE-2024-23833 involve?

CVE-2024-23833 involves a JDBC attack vulnerability that can be exploited through malicious MySQL servers.

Can I continue using OpenRefine if I am on an affected version regarding CVE-2024-23833?

It is not recommended to continue using affected versions of OpenRefine due to the security vulnerabilities posed by CVE-2024-23833.

Vulnerability/
CVE-2024-23833

high

7.5

CWE

22 863

EPSS

0.044%

12/2/2024

16/10/2024

CVE-2024-23833: OpenRefine JDBC Attack Vulnerability

First published: Mon Feb 12 2024(Updated: )

### Summary A jdbc attack vulnerability exists in OpenRefine(version<=3.7.7) ### Details #### Vulnerability Recurrence Start by constructing a malicious MySQL Server (using the open source project MySQL_Fake_Server here). ![image](https://user-images.githubusercontent.com/31120718/296241211-96c6a647-8572-4859-837d-dac3d3f52ab0.png) Then go to the Jdbc connection trigger vulnerability ![image](https://user-images.githubusercontent.com/31120718/296241309-af2c404d-0651-4d4b-86d6-8111cef0295b.png) #### Vulnerability Analysis This vulnerability is the bypass of `CVE-2023-41887` vulnerability repair, the main vulnerability principle is actually the use of official syntax features, as shown in the following figure, when the connection we can perform parameter configuration in the Host part ![image](https://user-images.githubusercontent.com/31120718/296241439-db45840c-e3bd-4047-b1ac-499f7aeb4848.png) In `com.google.refine.extension.database.mysql.MySQLConnectionManager#getConnection` method in the final JdbcUrl structure ![image](https://user-images.githubusercontent.com/31120718/296241473-fc63b0a9-6ecf-47a0-ac7d-d68d833c7c27.png) That is, in the ` toURI` method call here, you can see that the Host part is directly concatenated for any verification, which can be bypassed using the address feature of mysql ![image](https://user-images.githubusercontent.com/31120718/296241511-e27ba08c-500a-4ed5-b662-96e5e4a8af5f.png) That is, in the toURI method call here, you can see that the Host part is directly concatenated for any verification, which can be bypassed using the address feature of mysql ![image](https://user-images.githubusercontent.com/31120718/296241733-83d6d0a5-197c-4bcf-835e-0c54b4b8b80f.png) ### PoC _Complete instructions, including specific configuration details, to reproduce the vulnerability._ ``` Type: MySQL Host: 127.0.0.1:3306,(host=127.0.0.1,port=3306,autoDeserialize=true,allowLoadLocalInfile=true,allowUrlInLocalInfile=true,allowLoadLocalInfileInPath=true),127.0.0.1 Port: 3306 User: win_hosts Database: test ``` ### Impact Due to the newer MySQL driver library in the latest version of OpenRefine (8.0.30), there is no associated deserialization utilization point, so original code execution cannot be achieved, but attackers can use this vulnerability to read sensitive files on the target server.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Openrefine Openrefine	<3.7.8
maven/org.openrefine:database	<=3.7.7	3.7.8
debian/openrefine	<=3.6.2-2+deb12u2	3.8.7-1

Remedy

https://github.com/OpenRefine/OpenRefine/commit/41ccf574847d856e22488a7c0987ad8efa12a84a

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2024-23833?
CVE-2024-23833 has been assigned a moderate severity level due to its potential impact on user data and system integrity.
How do I fix CVE-2024-23833?
To fix CVE-2024-23833, upgrade OpenRefine to version 3.7.8 or later.
What versions of OpenRefine are affected by CVE-2024-23833?
OpenRefine versions 3.7.7 and earlier are affected by CVE-2024-23833.
What type of attack does CVE-2024-23833 involve?
CVE-2024-23833 involves a JDBC attack vulnerability that can be exploited through malicious MySQL servers.
Can I continue using OpenRefine if I am on an affected version regarding CVE-2024-23833?
It is not recommended to continue using affected versions of OpenRefine due to the security vulnerabilities posed by CVE-2024-23833.

agent/title
agent/severity
agent/first-publish-date
agent/type
collector/epss-latest
source/FIRST
agent/epss
collector/mitre-cve
source/MITRE
collector/nvd-api
source/NVD
agent/software-canonical-lookup
agent/remedy
agent/weakness
agent/softwarecombine
collector/github-advisory-latest
source/GitHub
alias/GHSA-6p92-qfqf-qwx4
alias/CVE-2024-23833
agent/last-modified-date
collector/nvd-cve
collector/github-advisory
agent/trending
collector/usn-cve
source/Ubuntu
agent/references
agent/author
agent/description
collector/launchpad-cve
source/Launchpad
agent/source
agent/tags
agent/event
collector/security-tracker-debian
source/Debian
vendor/openrefine
canonical/openrefine openrefine
package-manager/maven
package-manager/debian