org.openrefine:database@3.6-beta2 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.openrefine:database package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • C
Arbitrary Code Injection

Affected versions of this package are vulnerable to Arbitrary Code Injection via the enable_load_extension property in the SQLite integration due to improper user input sanitization in the getDatabaseUrl function. An attacker can execute arbitrary code on the server by loading malicious DLLs through crafted JDBC URLs.

How to fix Arbitrary Code Injection?

Upgrade org.openrefine:database to version 3.8.3 or higher.

[3.4-beta,3.8.3)
  • H
Uninitialized Memory Exposure

Affected versions of this package are vulnerable to Uninitialized Memory Exposure due to improper validation of user-supplied input in the getConnection method. An attacker can stand up a malicious MySQL Server to disclose files on the target server via JDBC connection string parameters.

Note: This is a bypass for CVE-2023-41887.

How to fix Uninitialized Memory Exposure?

Upgrade org.openrefine:database to version 3.8-beta1 or higher.

[,3.8-beta1)
  • M
Arbitrary File Read

Affected versions of this package are vulnerable to Arbitrary File Read allowing any unauthenticated user to read the file on the server

How to fix Arbitrary File Read?

Upgrade org.openrefine:database to version 3.8-beta1 or higher.

[,3.8-beta1)
  • H
Arbitrary Code Execution

Affected versions of this package are vulnerable to Arbitrary Code Execution when connecting to a malicious MySQL server, due to improperly escaping JDBC URL components in the database extension.

Note:

In order for the server to enable deserialization the autoDeserialize and queryInterceptors parameters have to be set in the connection string,

How to fix Arbitrary Code Execution?

Upgrade org.openrefine:database to version 3.8-beta1 or higher.

[,3.8-beta1)