CVE-2024-47879 – OpenRefine versions before 3.8.3 lack CSRF prot... (How to Fix)

Q: What is the severity of CVE-2024-47879?

CVE-2024-47879 has a CVSS score of 7.6 (HIGH). OpenRefine versions before 3.8.3 lack CSRF protection on the preview-expression command, allowing malicious websites to execute attacker-controlled Clojure or Python code. This affects users running vulnerable OpenRefine instances who visit malicious webpages while authenticated. Attackers need a valid project ID with at least one row to exploit this.

📋 TL;DR

OpenRefine versions before 3.8.3 lack CSRF protection on the preview-expression command, allowing malicious websites to execute attacker-controlled Clojure or Python code. This affects users running vulnerable OpenRefine instances who visit malicious webpages while authenticated. Attackers need a valid project ID with at least one row to exploit this.

💻 Affected Systems

Products:

OpenRefine

Versions: All versions before 3.8.3

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires OpenRefine to be running and accessible, with at least one project containing data.

📦 What is this software?

Openrefine by Openrefine

View all CVEs affecting Openrefine →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment on the OpenRefine server.

🟠

Likely Case

Data manipulation within OpenRefine projects, unauthorized data access, or limited server-side code execution.

🟢

If Mitigated

No impact if proper network segmentation, web application firewalls, and user awareness prevent malicious site visits.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction (visiting malicious site) and knowledge of a valid project ID.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.8.3

Vendor Advisory: https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-3jm4-c6qf-jrh3

Restart Required: Yes

Instructions:

1. Download OpenRefine 3.8.3 from official sources. 2. Stop the running OpenRefine instance. 3. Replace with new version. 4. Restart OpenRefine.

🔧 Temporary Workarounds

Network Isolation

all

Restrict OpenRefine access to trusted networks only

Use firewall rules to limit access to specific IPs

User Awareness

all

Educate users about phishing risks and not visiting untrusted sites while using OpenRefine

🧯 If You Can't Patch

Implement strict network segmentation to isolate OpenRefine from internet access
Deploy web application firewall with CSRF protection rules

🔍 How to Verify

Check if Vulnerable:

Check OpenRefine version via web interface or startup logs

Check Version:

Check OpenRefine web interface or startup logs for version information

Verify Fix Applied:

Confirm version is 3.8.3 or later

📡 Detection & Monitoring

Log Indicators:

Unusual preview-expression requests
Requests from unexpected sources

Network Indicators:

CSRF attempts to preview-expression endpoint

SIEM Query:

source="openrefine" AND (uri="*preview-expression*" OR method="POST" AND uri="*/command/core/preview-expression*")

📊 Metadata

CVE ID: CVE-2024-47879

CVSS v3 Score: 7.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L

CWE: CWE-94

Published: October 24, 2024

Last Updated: December 4, 2024

🔗 References

https://github.com/OpenRefine/OpenRefine/commit/090924ca923489b6c94397cf1f5df7f7f78f0126 Patch
https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-3jm4-c6qf-jrh3 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-47879, you might also want to check these: