CVE-2024-47879

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-47879
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-47879.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-47879
Aliases
Downstream
Published
2024-10-24T20:17:55Z
Modified
2025-10-15T14:55:42.974709Z
Severity
  • 7.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L CVSS Calculator
Summary
OpenRefine's PreviewExpressionCommand, which is eval, lacks protection against cross-site request forgery (CSRF)
Details

OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, lack of cross-site request forgery protection on the preview-expression command means that visiting a malicious website could cause an attacker-controlled expression to be executed. The expression can contain arbitrary Clojure or Python code. The attacker must know a valid project ID of a project that contains at least one row, and the attacker must convince the victim to open a malicious webpage. Version 3.8.3 fixes the issue.

References

Affected packages

Git / github.com/OpenRefine/OpenRefine

Affected ranges

Type
GIT
Repo
https://github.com/OpenRefine/OpenRefine
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
d70d9114a8c021a233f0c13c73a0a7784276f2a4

Affected versions

1.*

1.1

2.*

2.6-alpha.2
2.6-alpha1
2.6-beta.1
2.6-rc.2
2.7
2.7-rc.1
2.7-rc.2
2.8

3.*

3.0
3.0-beta
3.0-rc.1
3.1
3.1-beta
3.2
3.2-beta
3.3
3.3-beta
3.3-rc1
3.4-beta
3.5-beta1
3.7-beta2
3.8-beta.3
3.8-beta.4
3.8-beta1
3.8-beta2
3.8-beta5
3.8.0
3.8.1
3.8.2

v2.*

v2.6-rc1

Database specific

vanir_signatures

[
    {
        "source": "https://github.com/OpenRefine/OpenRefine/commit/d70d9114a8c021a233f0c13c73a0a7784276f2a4",
        "target": {
            "file": "main/src/com/google/refine/RefineServlet.java"
        },
        "digest": {
            "line_hashes": [
                "70741200116215552636185552063441350157",
                "250578989153400506380281591621571840554",
                "234825196224379482873151685641821868458",
                "163240278076324717749431253028938753191"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "signature_type": "Line",
        "signature_version": "v1",
        "id": "CVE-2024-47879-5d3cb481"
    }
]

Git / github.com/OpenRefine/OpenRefine

Affected ranges

Type
GIT
Repo
https://github.com/OpenRefine/OpenRefine
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
d70d9114a8c021a233f0c13c73a0a7784276f2a4

Affected versions

1.*

1.1

2.*

2.6-alpha.2
2.6-alpha1
2.6-beta.1
2.6-rc.2
2.7
2.7-rc.1
2.7-rc.2
2.8

3.*

3.0
3.0-beta
3.0-rc.1
3.1
3.1-beta
3.2
3.2-beta
3.3
3.3-beta
3.3-rc1
3.4-beta
3.5-beta1
3.7-beta2
3.8-beta.3
3.8-beta.4
3.8-beta1
3.8-beta2
3.8-beta5
3.8.0
3.8.1
3.8.2

v2.*

v2.6-rc1

Database specific

vanir_signatures

[
    {
        "source": "https://github.com/OpenRefine/OpenRefine/commit/d70d9114a8c021a233f0c13c73a0a7784276f2a4",
        "target": {
            "file": "main/src/com/google/refine/RefineServlet.java"
        },
        "digest": {
            "line_hashes": [
                "70741200116215552636185552063441350157",
                "250578989153400506380281591621571840554",
                "234825196224379482873151685641821868458",
                "163240278076324717749431253028938753191"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "signature_type": "Line",
        "signature_version": "v1",
        "id": "CVE-2024-47879-e5b38fb3"
    }
]