Login Sign Up

CVE-2024-23833

7.5 HIGH
Path Traversal

📋 TL;DR

OpenRefine versions up to 3.7.7 contain a JDBC attack vulnerability that allows attackers to read arbitrary files on the host filesystem. This occurs when attackers can construct malicious JDBC queries, potentially exposing sensitive server files. All users running OpenRefine 3.7.7 or earlier are affected.

💻 Affected Systems

Products:
  • OpenRefine
Versions: version <= 3.7.7
Operating Systems: All operating systems running OpenRefine
Default Config Vulnerable: ⚠️ Yes
Notes: All installations of affected versions are vulnerable by default. The newer MySQL driver prevents code execution but file read is still possible.

📦 What is this software?

Openrefine by Openrefine

View all CVEs affecting Openrefine →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers read sensitive files like configuration files, credentials, SSH keys, or database files, leading to data breach and potential lateral movement.

🟠

Likely Case

Unauthorized file read of sensitive server files, potentially exposing credentials or configuration data.

🟢

If Mitigated

Limited impact if file permissions restrict access to sensitive files and network access is controlled.

🌐 Internet-Facing: HIGH - Internet-facing OpenRefine instances allow remote attackers to exploit this without authentication.
🏢 Internal Only: MEDIUM - Internal instances still vulnerable to insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires ability to construct JDBC queries, which may be available through various OpenRefine interfaces. No authentication needed for exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.7.8

Vendor Advisory: https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-6p92-qfqf-qwx4

Restart Required: Yes

Instructions:

1. Download OpenRefine 3.7.8 or later from official sources. 2. Stop the OpenRefine service. 3. Replace the installation with the new version. 4. Restart the OpenRefine service.

🔧 Temporary Workarounds

No official workarounds

all

The vendor states there are no known workarounds for this vulnerability.

🧯 If You Can't Patch

  • Restrict network access to OpenRefine instances using firewall rules to only trusted IPs
  • Implement strict file system permissions to limit what files OpenRefine can access

🔍 How to Verify

Check if Vulnerable:

Check OpenRefine version by running the application and viewing the version in the interface or checking the installation directory.

Check Version:

Check the version.txt file in OpenRefine installation directory or view version in web interface

Verify Fix Applied:

Verify installation shows version 3.7.8 or higher in the application interface or version file.

📡 Detection & Monitoring

Log Indicators:

  • Unusual JDBC connection attempts
  • File read operations from unexpected paths
  • Error logs containing file path traversal patterns

Network Indicators:

  • JDBC connection attempts to OpenRefine from untrusted sources
  • Unusual data extraction patterns

SIEM Query:

Search for file access patterns in OpenRefine logs containing '../' or absolute paths

📊 Metadata

CVE ID: CVE-2024-23833
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-22
Published: February 12, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-23833, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)