CVE-2023-41886

Name of the Vulnerable Software and Affected Versions OpenRefine versions prior to 3.7.5

Description An arbitrary file read issue allows any unauthenticated user to read a file on a server. This is related to the use of the MySQL JDBC connector, where an attacker can exploit the allowLoadLocalInfile parameter to read files on the server. The vulnerability can be exploited by setting the username to a base64 encoded string of the file path and the Database name to include the allowLoadLocalInfile=true parameter for MySQL connector versions greater than 8.14. For versions less than or equal to 8.14, the default value of allowLoadLocalInfile is true, making it easier to exploit.

Recommendations For OpenRefine versions prior to 3.7.5, update to version 3.7.5 or later to fix the arbitrary file read vulnerability. As a temporary workaround, consider restricting access to the MySQL connector or disabling the allowLoadLocalInfile parameter to minimize the risk of exploitation. Avoid using the username and Database name parameters in a way that could allow an attacker to read files on the server.