OpenRefine Users Beware of New File Reading Vulnerability

CVECVE-2024-23833
CVSScvssV3_1: 7.5
SourceCVE-2024-23833

OpenRefine is an open source data cleaning and transformation tool that allows users to work with messy and unstructured data. Researchers have discovered a vulnerability in older versions of OpenRefine that could allow attackers to read sensitive files on the server hosting OpenRefine.

The vulnerability exists in how OpenRefine interacts with databases through JDBC connections. An attacker could craft a malicious JDBC query that tricks OpenRefine into reading arbitrary files on the server instead of just querying the database. While the latest version of OpenRefine updated its database driver to prevent remote code execution, sensitive files could still be accessed.

This means any OpenRefine instance prior to version 3.7.8 is at risk of having its configuration files or other sensitive data read by an unauthorized party. Thankfully the developers were quick to address this issue and users on the latest version are protected.

If you use OpenRefine for data cleaning or transformation, be sure to upgrade to the latest 3.7.8 version or higher as soon as possible to close this file reading vulnerability. Properly securing your server and only allowing trusted connections can further reduce risks. Staying on top of software updates is one of the best ways to keep your data safe from emerging threats.

References