DEBIAN-CVE-2024-47879

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2024-47879
Import Source
https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2024-47879.json
JSON Data
https://api.osv.dev/v1/vulns/DEBIAN-CVE-2024-47879
Upstream
Published
2024-10-24T21:15:12Z
Modified
2025-09-30T05:19:39.557053Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, lack of cross-site request forgery protection on the preview-expression command means that visiting a malicious website could cause an attacker-controlled expression to be executed. The expression can contain arbitrary Clojure or Python code. The attacker must know a valid project ID of a project that contains at least one row, and the attacker must convince the victim to open a malicious webpage. Version 3.8.3 fixes the issue.

References

Affected packages

Debian:12 / openrefine

Package

Name
openrefine
Purl
pkg:deb/debian/openrefine?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.6.2-2
3.6.2-2+deb12u1
3.6.2-2+deb12u2
3.6.2-3
3.7.4-1
3.7.5-1
3.7.6-1
3.7.7-1
3.7.8-1
3.8.7-1
3.8.7-2
3.9.3-1
3.9.5-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / openrefine

Package

Name
openrefine
Purl
pkg:deb/debian/openrefine?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.8.7-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:14 / openrefine

Package

Name
openrefine
Purl
pkg:deb/debian/openrefine?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.8.7-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}