Bug#1064192: openrefine: CVE-2024-23833
Salvatore Bonaccorso
carnil at debian.org
Sun Feb 18 08:08:18 GMT 2024
Source: openrefine
Version: 3.7.7-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for openrefine.
Markus, please adjust severity if you think grave/RC severity is not
appropriate. openrefine updates were batches previously as well just
in point release, that might be enough here as well.
CVE-2024-23833[0]:
| OpenRefine is a free, open source power tool for working with messy
| data and improving it. A jdbc attack vulnerability exists in
| OpenRefine(version<=3.7.7) where an attacker may construct a JDBC
| query which may read files on the host filesystem. Due to the newer
| MySQL driver library in the latest version of OpenRefine (8.0.30),
| there is no associated deserialization utilization point, so
| original code execution cannot be achieved, but attackers can use
| this vulnerability to read sensitive files on the target server.
| This issue has been addressed in version 3.7.8. Users are advised to
| upgrade. There are no known workarounds for this vulnerability.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-23833
https://www.cve.org/CVERecord?id=CVE-2024-23833
[1] https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-6p92-qfqf-qwx4
[2] https://github.com/OpenRefine/OpenRefine/commit/41ccf574847d856e22488a7c0987ad8efa12a84a
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list