CVE-2024-47879

OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, lack of cross-site request forgery protection on the preview-expression command means that visiting a malicious website could cause an attacker-controlled expression to be executed. The expression can contain arbitrary Clojure or Python code. The attacker must know a valid project ID of a project that contains at least one row, and the attacker must convince the victim to open a malicious webpage. Version 3.8.3 fixes the issue.

Database specific

{
    "cwe_ids": [
        "CWE-352",
        "CWE-94"
    ]
}

References

Affected packages

Git / github.com/openrefine/openrefine

Affected ranges

Type: GIT
Repo: https://github.com/openrefine/openrefine
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

d70d9114a8c021a233f0c13c73a0a7784276f2a4

Affected versions

1.*

1.1

2.*

2.6-alpha.2

2.6-alpha1

2.6-beta.1

2.6-rc.2

2.7

2.7-rc.1

2.7-rc.2

2.8

3.*

3.0

3.0-beta

3.0-rc.1

3.1

3.1-beta

3.2

3.2-beta

3.3

3.3-beta

3.3-rc1

3.4-beta

3.5-beta1

3.7-beta2

3.8-beta.3

3.8-beta.4

3.8-beta1

3.8-beta2

3.8-beta5

3.8.0

3.8.1

3.8.2

v2.*

v2.6-rc1

Database specific

vanir_signatures

[
    {
        "id": "CVE-2024-47879-463f1041",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "70741200116215552636185552063441350157",
                "250578989153400506380281591621571840554",
                "234825196224379482873151685641821868458",
                "163240278076324717749431253028938753191"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "main/src/com/google/refine/RefineServlet.java"
        },
        "source": "https://github.com/openrefine/openrefine/commit/d70d9114a8c021a233f0c13c73a0a7784276f2a4",
        "signature_type": "Line"
    }
]