Skip to content

OpenRefine JDBC Attack Vulnerability

High severity GitHub Reviewed Published Feb 11, 2024 in OpenRefine/OpenRefine • Updated Oct 16, 2024

Package

maven org.openrefine:database (Maven)

Affected versions

<= 3.7.7

Patched versions

3.7.8

Description

Summary

A jdbc attack vulnerability exists in OpenRefine(version<=3.7.7)

Details

Vulnerability Recurrence

Start by constructing a malicious MySQL Server (using the open source project MySQL_Fake_Server here).
image
Then go to the Jdbc connection trigger vulnerability
image

Vulnerability Analysis

This vulnerability is the bypass of CVE-2023-41887 vulnerability repair, the main vulnerability principle is actually the use of official syntax features, as shown in the following figure, when the connection we can perform parameter configuration in the Host part
image
In com.google.refine.extension.database.mysql.MySQLConnectionManager#getConnection method in the final JdbcUrl structure
image
That is, in the toURI method call here, you can see that the Host part is directly concatenated for any verification, which can be bypassed using the address feature of mysql
image
That is, in the toURI method call here, you can see that the Host part is directly concatenated for any verification, which can be bypassed using the address feature of mysql
image

PoC

Complete instructions, including specific configuration details, to reproduce the vulnerability.

Type: MySQL
Host: 127.0.0.1:3306,(host=127.0.0.1,port=3306,autoDeserialize=true,allowLoadLocalInfile=true,allowUrlInLocalInfile=true,allowLoadLocalInfileInPath=true),127.0.0.1
Port: 3306
User: win_hosts
Database: test

Impact

Due to the newer MySQL driver library in the latest version of OpenRefine (8.0.30), there is no associated deserialization utilization point, so original code execution cannot be achieved, but attackers can use this vulnerability to read sensitive files on the target server.

References

@wetneb wetneb published to OpenRefine/OpenRefine Feb 11, 2024
Published to the GitHub Advisory Database Feb 12, 2024
Reviewed Feb 12, 2024
Published by the National Vulnerability Database Feb 12, 2024
Last updated Oct 16, 2024

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS score

0.087%
(38th percentile)

CVE ID

CVE-2024-23833

GHSA ID

GHSA-6p92-qfqf-qwx4

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.