org.openrefine:database@3.7-beta2 vulnerabilities

  • latest version

    3.8.7

  • latest non vulnerable version

  • first published

    2 years ago

  • latest version published

    1 months ago

  • licenses detected

  • package manager

  • Direct Vulnerabilities

    Known vulnerabilities in the org.openrefine:database package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • C
    Arbitrary Code Injection

    Affected versions of this package are vulnerable to Arbitrary Code Injection via the enable_load_extension property in the SQLite integration due to improper user input sanitization in the getDatabaseUrl function. An attacker can execute arbitrary code on the server by loading malicious DLLs through crafted JDBC URLs.

    How to fix Arbitrary Code Injection?

    Upgrade org.openrefine:database to version 3.8.3 or higher.

    [3.4-beta,3.8.3)
    • H
    Uninitialized Memory Exposure

    Affected versions of this package are vulnerable to Uninitialized Memory Exposure due to improper validation of user-supplied input in the getConnection method. An attacker can stand up a malicious MySQL Server to disclose files on the target server via JDBC connection string parameters.

    Note: This is a bypass for CVE-2023-41887.

    How to fix Uninitialized Memory Exposure?

    Upgrade org.openrefine:database to version 3.8-beta1 or higher.

    [,3.8-beta1)
    • M
    Arbitrary File Read

    Affected versions of this package are vulnerable to Arbitrary File Read allowing any unauthenticated user to read the file on the server

    How to fix Arbitrary File Read?

    Upgrade org.openrefine:database to version 3.8-beta1 or higher.

    [,3.8-beta1)
    • H
    Arbitrary Code Execution

    Affected versions of this package are vulnerable to Arbitrary Code Execution when connecting to a malicious MySQL server, due to improperly escaping JDBC URL components in the database extension.

    Note:

    In order for the server to enable deserialization the autoDeserialize and queryInterceptors parameters have to be set in the connection string,

    How to fix Arbitrary Code Execution?

    Upgrade org.openrefine:database to version 3.8-beta1 or higher.

    [,3.8-beta1)