CVE-2024-47881 — OpenRefine's SQLite integration allows filesystem access, remote code execution

Description

OpenRefine is a free, open source tool for working with messy data. Starting in version 3.4-beta and prior to version 3.8.3, in the `database` extension, the "enable_load_extension" property can be set for the SQLite integration, enabling an attacker to load (local or remote) extension DLLs and so run arbitrary code on the server. The attacker needs to have network access to the OpenRefine instance. Version 3.8.3 fixes this issue.

How to fix CVE-2024-47881

To remediate CVE-2024-47881, upgrade the affected package to a fixed version below.

—upgrade to 3.6.2-2+deb12u3 or later
—upgrade to 3.8.3 or later

Is CVE-2024-47881 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 3.6.2-2+deb12u3
>= 3.4-beta, < 3.8.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

References (4)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-47881
PATCHgithub.com/OpenRefine/OpenRefine
WEBgithub.com/OpenRefine/OpenRefine/commit/853a1d91662e7dc278a9a94a38be58de04494056
WEBgithub.com/OpenRefine/OpenRefine/security/advisories/GHSA-87cf-j763-vvh8