org.openrefine:database@3.6.0 vulnerabilities

Affected versions of this package are vulnerable to Arbitrary Code Injection via the enable_load_extension property in the SQLite integration due to improper user input sanitization in the getDatabaseUrl function. An attacker can execute arbitrary code on the server by loading malicious DLLs through crafted JDBC URLs.

Upgrade org.openrefine:database to version 3.8.3 or higher.

Affected versions of this package are vulnerable to Uninitialized Memory Exposure due to improper validation of user-supplied input in the getConnection method. An attacker can stand up a malicious MySQL Server to disclose files on the target server via JDBC connection string parameters.

Note: This is a bypass for CVE-2023-41887.

Upgrade org.openrefine:database to version 3.8-beta1 or higher.

Affected versions of this package are vulnerable to Arbitrary File Read allowing any unauthenticated user to read the file on the server

Upgrade org.openrefine:database to version 3.8-beta1 or higher.

Affected versions of this package are vulnerable to Arbitrary Code Execution when connecting to a malicious MySQL server, due to improperly escaping JDBC URL components in the database extension.

Note:

In order for the server to enable deserialization the autoDeserialize and queryInterceptors parameters have to be set in the connection string,

Upgrade org.openrefine:database to version 3.8-beta1 or higher.