high
7.3
CWE
22
Advisory Published
Updated

GHSA-6p92-qfqf-qwx4: Path Traversal

First published: Mon Feb 12 2024(Updated: )

### Summary A jdbc attack vulnerability exists in OpenRefine(version<=3.7.7) ### Details #### Vulnerability Recurrence Start by constructing a malicious MySQL Server (using the open source project MySQL_Fake_Server here). ![image](https://user-images.githubusercontent.com/31120718/296241211-96c6a647-8572-4859-837d-dac3d3f52ab0.png) Then go to the Jdbc connection trigger vulnerability ![image](https://user-images.githubusercontent.com/31120718/296241309-af2c404d-0651-4d4b-86d6-8111cef0295b.png) #### Vulnerability Analysis This vulnerability is the bypass of `CVE-2023-41887` vulnerability repair, the main vulnerability principle is actually the use of official syntax features, as shown in the following figure, when the connection we can perform parameter configuration in the Host part ![image](https://user-images.githubusercontent.com/31120718/296241439-db45840c-e3bd-4047-b1ac-499f7aeb4848.png) In `com.google.refine.extension.database.mysql.MySQLConnectionManager#getConnection` method in the final JdbcUrl structure ![image](https://user-images.githubusercontent.com/31120718/296241473-fc63b0a9-6ecf-47a0-ac7d-d68d833c7c27.png) That is, in the ` toURI` method call here, you can see that the Host part is directly concatenated for any verification, which can be bypassed using the address feature of mysql ![image](https://user-images.githubusercontent.com/31120718/296241511-e27ba08c-500a-4ed5-b662-96e5e4a8af5f.png) That is, in the toURI method call here, you can see that the Host part is directly concatenated for any verification, which can be bypassed using the address feature of mysql ![image](https://user-images.githubusercontent.com/31120718/296241733-83d6d0a5-197c-4bcf-835e-0c54b4b8b80f.png) ### PoC _Complete instructions, including specific configuration details, to reproduce the vulnerability._ ``` Type: MySQL Host: 127.0.0.1:3306,(host=127.0.0.1,port=3306,autoDeserialize=true,allowLoadLocalInfile=true,allowUrlInLocalInfile=true,allowLoadLocalInfileInPath=true),127.0.0.1 Port: 3306 User: win_hosts Database: test ``` ### Impact Due to the newer MySQL driver library in the latest version of OpenRefine (8.0.30), there is no associated deserialization utilization point, so original code execution cannot be achieved, but attackers can use this vulnerability to read sensitive files on the target server.

Affected SoftwareAffected VersionHow to fix
maven/org.openrefine:database<=3.7.7
3.7.8

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203