CVE-2023-41887
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-41887
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-41887.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2023-41887
- Aliases
- Downstream
- Published
- 2023-09-15T20:06:55Z
- Modified
- 2025-10-21T13:26:05.273323Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Remote Code exec in project import with mysql jdbc url attack
- Details
-
OpenRefine is a powerful free, open source tool for working with messy data. Prior to version 3.7.5, a remote code execution vulnerability allows any unauthenticated user to execute code on the server. Version 3.7.5 has a patch for this issue.
- References
Affected packages
Git / github.com/openrefine/openrefine
Affected ranges
- Type
- GIT
- Repo
- https://github.com/openrefine/openrefine
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
1.*
1.1
2.*
2.6-alpha.2
2.6-alpha1
2.6-beta.1
2.6-rc.2
2.7
2.7-rc.1
2.7-rc.2
2.8
3.*
3.0
3.0-beta
3.0-rc.1
3.1
3.1-beta
3.2
3.2-beta
3.3
3.3-beta
3.3-rc1
3.4-beta
3.5-beta1
3.7-beta2
3.7-beta3
3.7-beta4
3.7-beta5
3.7.0
3.7.1
3.7.2
3.7.3
3.7.4
v2.*
v2.6-rc1
Database specific
vanir_signatures
[
{
"source": "https://github.com/openrefine/openrefine/commit/693fde606d4b5b78b16391c29d110389eb605511",
"signature_version": "v1",
"target": {
"file": "extensions/database/src/com/google/refine/extension/database/pgsql/PgSQLConnectionManager.java",
"function": "getConnection"
},
"digest": {
"length": 898.0,
"function_hash": "116830974008396641965816380333835860683"
},
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2023-41887-0f333938"
},
{
"source": "https://github.com/openrefine/openrefine/commit/693fde606d4b5b78b16391c29d110389eb605511",
"signature_version": "v1",
"target": {
"file": "extensions/database/src/com/google/refine/extension/database/sqlite/SQLiteConnectionManager.java",
"function": "getDatabaseUrl"
},
"digest": {
"length": 118.0,
"function_hash": "143545153857631119613471487443513737974"
},
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2023-41887-1d895667"
},
{
"source": "https://github.com/openrefine/openrefine/commit/693fde606d4b5b78b16391c29d110389eb605511",
"signature_version": "v1",
"target": {
"file": "extensions/database/src/com/google/refine/extension/database/sqlite/SQLiteConnectionManager.java"
},
"digest": {
"line_hashes": [
"327175276617973140236574177639281372902",
"133401992607196297346054102790149442849",
"107966929631629464680997212269128087442",
"115126231447599679618367908713702056201",
"107299902640020052692365499410267929566",
"270127851368886019188868544405153422003",
"49864026166585960194532247500852524490"
],
"threshold": 0.9
},
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2023-41887-1efe4611"
},
{
"source": "https://github.com/openrefine/openrefine/commit/693fde606d4b5b78b16391c29d110389eb605511",
"signature_version": "v1",
"target": {
"file": "extensions/database/src/com/google/refine/extension/database/mysql/MySQLConnectionManager.java"
},
"digest": {
"line_hashes": [
"93499350387352243716344320377595364388",
"267136940035318533730105852909472639718",
"28535246610280580816079824868767641392",
"162516013320564762227329392284638372031",
"339825282732052753538233963653102392762",
"181659787796074723859127783665090684477",
"104158748872433304614834733600887157495",
"36691904264726742742548693439149172372",
"224134271848151467016820305230625111987",
"202253408300229988969493250320165698914"
],
"threshold": 0.9
},
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2023-41887-23c3b392"
},
{
"source": "https://github.com/openrefine/openrefine/commit/693fde606d4b5b78b16391c29d110389eb605511",
"signature_version": "v1",
"target": {
"file": "extensions/database/src/com/google/refine/extension/database/mariadb/MariaDBConnectionManager.java"
},
"digest": {
"line_hashes": [
"51105809074562124868865597715872615067",
"176662979713726992854720158334792335592",
"304912067826687412005557055737383317470",
"207346423794384072692578311523052471007",
"65194962948448113154920370122671442619",
"242627320899175369581014955349415517909",
"72912773042994451738971112840290549233",
"317973846602094683004465163010862295351",
"16623836675517359104695111435518884941",
"1765836474915455923284713653214629070",
"321880713943457350286048360181421579566"
],
"threshold": 0.9
},
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2023-41887-560d9b77"
},
{
"source": "https://github.com/openrefine/openrefine/commit/693fde606d4b5b78b16391c29d110389eb605511",
"signature_version": "v1",
"target": {
"file": "extensions/database/src/com/google/refine/extension/database/mariadb/MariaDBConnectionManager.java",
"function": "getConnection"
},
"digest": {
"length": 931.0,
"function_hash": "112013358395284153371966215564124581510"
},
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2023-41887-6523c90b"
},
{
"source": "https://github.com/openrefine/openrefine/commit/693fde606d4b5b78b16391c29d110389eb605511",
"signature_version": "v1",
"target": {
"file": "extensions/database/src/com/google/refine/extension/database/pgsql/PgSQLConnectionManager.java",
"function": "getDatabaseUrl"
},
"digest": {
"length": 224.0,
"function_hash": "186952275256751828015222685798655798773"
},
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2023-41887-b139c6e6"
},
{
"source": "https://github.com/openrefine/openrefine/commit/693fde606d4b5b78b16391c29d110389eb605511",
"signature_version": "v1",
"target": {
"file": "extensions/database/src/com/google/refine/extension/database/mysql/MySQLConnectionManager.java",
"function": "getDatabaseUrl"
},
"digest": {
"length": 245.0,
"function_hash": "114902112724010012119100223268060240339"
},
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2023-41887-b84c6c8b"
},
{
"source": "https://github.com/openrefine/openrefine/commit/693fde606d4b5b78b16391c29d110389eb605511",
"signature_version": "v1",
"target": {
"file": "extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java"
},
"digest": {
"line_hashes": [
"157147032808925695163598661071258904799",
"44842798372803525762741894040819113427"
],
"threshold": 0.9
},
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2023-41887-d15d2307"
},
{
"source": "https://github.com/openrefine/openrefine/commit/693fde606d4b5b78b16391c29d110389eb605511",
"signature_version": "v1",
"target": {
"file": "extensions/database/src/com/google/refine/extension/database/mysql/MySQLConnectionManager.java",
"function": "getConnection"
},
"digest": {
"length": 931.0,
"function_hash": "182346756318723732980500139483911676077"
},
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2023-41887-e13f4ff7"
},
{
"source": "https://github.com/openrefine/openrefine/commit/693fde606d4b5b78b16391c29d110389eb605511",
"signature_version": "v1",
"target": {
"file": "extensions/database/src/com/google/refine/extension/database/mariadb/MariaDBConnectionManager.java",
"function": "getDatabaseUrl"
},
"digest": {
"length": 224.0,
"function_hash": "186952275256751828015222685798655798773"
},
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2023-41887-eabd928c"
},
{
"source": "https://github.com/openrefine/openrefine/commit/693fde606d4b5b78b16391c29d110389eb605511",
"signature_version": "v1",
"target": {
"file": "extensions/database/src/com/google/refine/extension/database/pgsql/PgSQLConnectionManager.java"
},
"digest": {
"line_hashes": [
"51105809074562124868865597715872615067",
"176662979713726992854720158334792335592",
"304912067826687412005557055737383317470",
"204201973635903445520940849547246821035",
"242627320899175369581014955349415517909",
"72912773042994451738971112840290549233",
"317973846602094683004465163010862295351",
"16623836675517359104695111435518884941",
"1765836474915455923284713653214629070",
"321880713943457350286048360181421579566"
],
"threshold": 0.9
},
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2023-41887-f7294780"
}
]