CVE-2023-41887

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-41887
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-41887.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-41887
Aliases
Downstream
Published
2023-09-15T20:06:55Z
Modified
2025-11-04T20:14:37.246544Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Remote Code exec in project import with mysql jdbc url attack
Details

OpenRefine is a powerful free, open source tool for working with messy data. Prior to version 3.7.5, a remote code execution vulnerability allows any unauthenticated user to execute code on the server. Version 3.7.5 has a patch for this issue.

Database specific 
{
    "cwe_ids": [
        "CWE-89"
    ]
}
References

Affected packages

Git / github.com/openrefine/openrefine

Affected ranges

Type
GIT
Repo
https://github.com/openrefine/openrefine
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
693fde606d4b5b78b16391c29d110389eb605511

Affected versions

1.*

1.1

2.*

2.6-alpha.2
2.6-alpha1
2.6-beta.1
2.6-rc.2
2.7
2.7-rc.1
2.7-rc.2
2.8

3.*

3.0
3.0-beta
3.0-rc.1
3.1
3.1-beta
3.2
3.2-beta
3.3
3.3-beta
3.3-rc1
3.4-beta
3.5-beta1
3.7-beta2
3.7-beta3
3.7-beta4
3.7-beta5
3.7.0
3.7.1
3.7.2
3.7.3
3.7.4

v2.*

v2.6-rc1

Database specific

vanir_signatures

[
    {
        "signature_version": "v1",
        "source": "https://github.com/openrefine/openrefine/commit/693fde606d4b5b78b16391c29d110389eb605511",
        "deprecated": false,
        "id": "CVE-2023-41887-0f333938",
        "target": {
            "function": "getConnection",
            "file": "extensions/database/src/com/google/refine/extension/database/pgsql/PgSQLConnectionManager.java"
        },
        "digest": {
            "length": 898.0,
            "function_hash": "116830974008396641965816380333835860683"
        },
        "signature_type": "Function"
    },
    {
        "signature_version": "v1",
        "source": "https://github.com/openrefine/openrefine/commit/693fde606d4b5b78b16391c29d110389eb605511",
        "deprecated": false,
        "id": "CVE-2023-41887-1d895667",
        "target": {
            "function": "getDatabaseUrl",
            "file": "extensions/database/src/com/google/refine/extension/database/sqlite/SQLiteConnectionManager.java"
        },
        "digest": {
            "length": 118.0,
            "function_hash": "143545153857631119613471487443513737974"
        },
        "signature_type": "Function"
    },
    {
        "signature_version": "v1",
        "source": "https://github.com/openrefine/openrefine/commit/693fde606d4b5b78b16391c29d110389eb605511",
        "deprecated": false,
        "id": "CVE-2023-41887-1efe4611",
        "target": {
            "file": "extensions/database/src/com/google/refine/extension/database/sqlite/SQLiteConnectionManager.java"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "327175276617973140236574177639281372902",
                "133401992607196297346054102790149442849",
                "107966929631629464680997212269128087442",
                "115126231447599679618367908713702056201",
                "107299902640020052692365499410267929566",
                "270127851368886019188868544405153422003",
                "49864026166585960194532247500852524490"
            ]
        },
        "signature_type": "Line"
    },
    {
        "signature_version": "v1",
        "source": "https://github.com/openrefine/openrefine/commit/693fde606d4b5b78b16391c29d110389eb605511",
        "deprecated": false,
        "id": "CVE-2023-41887-23c3b392",
        "target": {
            "file": "extensions/database/src/com/google/refine/extension/database/mysql/MySQLConnectionManager.java"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "93499350387352243716344320377595364388",
                "267136940035318533730105852909472639718",
                "28535246610280580816079824868767641392",
                "162516013320564762227329392284638372031",
                "339825282732052753538233963653102392762",
                "181659787796074723859127783665090684477",
                "104158748872433304614834733600887157495",
                "36691904264726742742548693439149172372",
                "224134271848151467016820305230625111987",
                "202253408300229988969493250320165698914"
            ]
        },
        "signature_type": "Line"
    },
    {
        "signature_version": "v1",
        "source": "https://github.com/openrefine/openrefine/commit/693fde606d4b5b78b16391c29d110389eb605511",
        "deprecated": false,
        "id": "CVE-2023-41887-560d9b77",
        "target": {
            "file": "extensions/database/src/com/google/refine/extension/database/mariadb/MariaDBConnectionManager.java"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "51105809074562124868865597715872615067",
                "176662979713726992854720158334792335592",
                "304912067826687412005557055737383317470",
                "207346423794384072692578311523052471007",
                "65194962948448113154920370122671442619",
                "242627320899175369581014955349415517909",
                "72912773042994451738971112840290549233",
                "317973846602094683004465163010862295351",
                "16623836675517359104695111435518884941",
                "1765836474915455923284713653214629070",
                "321880713943457350286048360181421579566"
            ]
        },
        "signature_type": "Line"
    },
    {
        "signature_version": "v1",
        "source": "https://github.com/openrefine/openrefine/commit/693fde606d4b5b78b16391c29d110389eb605511",
        "deprecated": false,
        "id": "CVE-2023-41887-6523c90b",
        "target": {
            "function": "getConnection",
            "file": "extensions/database/src/com/google/refine/extension/database/mariadb/MariaDBConnectionManager.java"
        },
        "digest": {
            "length": 931.0,
            "function_hash": "112013358395284153371966215564124581510"
        },
        "signature_type": "Function"
    },
    {
        "signature_version": "v1",
        "source": "https://github.com/openrefine/openrefine/commit/693fde606d4b5b78b16391c29d110389eb605511",
        "deprecated": false,
        "id": "CVE-2023-41887-b139c6e6",
        "target": {
            "function": "getDatabaseUrl",
            "file": "extensions/database/src/com/google/refine/extension/database/pgsql/PgSQLConnectionManager.java"
        },
        "digest": {
            "length": 224.0,
            "function_hash": "186952275256751828015222685798655798773"
        },
        "signature_type": "Function"
    },
    {
        "signature_version": "v1",
        "source": "https://github.com/openrefine/openrefine/commit/693fde606d4b5b78b16391c29d110389eb605511",
        "deprecated": false,
        "id": "CVE-2023-41887-b84c6c8b",
        "target": {
            "function": "getDatabaseUrl",
            "file": "extensions/database/src/com/google/refine/extension/database/mysql/MySQLConnectionManager.java"
        },
        "digest": {
            "length": 245.0,
            "function_hash": "114902112724010012119100223268060240339"
        },
        "signature_type": "Function"
    },
    {
        "signature_version": "v1",
        "source": "https://github.com/openrefine/openrefine/commit/693fde606d4b5b78b16391c29d110389eb605511",
        "deprecated": false,
        "id": "CVE-2023-41887-d15d2307",
        "target": {
            "file": "extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "157147032808925695163598661071258904799",
                "44842798372803525762741894040819113427"
            ]
        },
        "signature_type": "Line"
    },
    {
        "signature_version": "v1",
        "source": "https://github.com/openrefine/openrefine/commit/693fde606d4b5b78b16391c29d110389eb605511",
        "deprecated": false,
        "id": "CVE-2023-41887-e13f4ff7",
        "target": {
            "function": "getConnection",
            "file": "extensions/database/src/com/google/refine/extension/database/mysql/MySQLConnectionManager.java"
        },
        "digest": {
            "length": 931.0,
            "function_hash": "182346756318723732980500139483911676077"
        },
        "signature_type": "Function"
    },
    {
        "signature_version": "v1",
        "source": "https://github.com/openrefine/openrefine/commit/693fde606d4b5b78b16391c29d110389eb605511",
        "deprecated": false,
        "id": "CVE-2023-41887-eabd928c",
        "target": {
            "function": "getDatabaseUrl",
            "file": "extensions/database/src/com/google/refine/extension/database/mariadb/MariaDBConnectionManager.java"
        },
        "digest": {
            "length": 224.0,
            "function_hash": "186952275256751828015222685798655798773"
        },
        "signature_type": "Function"
    },
    {
        "signature_version": "v1",
        "source": "https://github.com/openrefine/openrefine/commit/693fde606d4b5b78b16391c29d110389eb605511",
        "deprecated": false,
        "id": "CVE-2023-41887-f7294780",
        "target": {
            "file": "extensions/database/src/com/google/refine/extension/database/pgsql/PgSQLConnectionManager.java"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "51105809074562124868865597715872615067",
                "176662979713726992854720158334792335592",
                "304912067826687412005557055737383317470",
                "204201973635903445520940849547246821035",
                "242627320899175369581014955349415517909",
                "72912773042994451738971112840290549233",
                "317973846602094683004465163010862295351",
                "16623836675517359104695111435518884941",
                "1765836474915455923284713653214629070",
                "321880713943457350286048360181421579566"
            ]
        },
        "signature_type": "Line"
    }
]