CVE-2024-47881

HIGH8.1EPSS 0.29%

OpenRefine's SQLite integration allows filesystem access, remote code execution (RCE)

Published: 10/24/2024Modified: 4/28/2026

Description

OpenRefine is a free, open source tool for working with messy data. Starting in version 3.4-beta and prior to version 3.8.3, in the `database` extension, the "enable_load_extension" property can be set for the SQLite integration, enabling an attacker to load (local or remote) extension DLLs and so run arbitrary code on the server. The attacker needs to have network access to the OpenRefine instance. Version 3.8.3 fixes this issue.

Affected packages (2)

Debian/openrefinefrom 0, < 3.6.2-2+deb12u3
Maven/org.openrefine:database>= 3.4-beta, < 3.8.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

References (4)

ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2024-47881
PATCHhttps://github.com/OpenRefine/OpenRefine
WEBhttps://github.com/OpenRefine/OpenRefine/commit/853a1d91662e7dc278a9a94a38be58de04494056
WEBhttps://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-87cf-j763-vvh8