CVE-2023-41887

Name of the Vulnerable Software and Affected Versions OpenRefine versions prior to 3.7.5

Description A remote code execution issue allows any unauthenticated user to execute code on the server. This is possible due to a vulnerability in the way OpenRefine handles certain database connections, specifically when using the mysql-connector-java version less than 8.20. The vulnerability can be exploited by injecting parameters into the connection string, allowing for deserialization and potentially leading to remote code execution. The presence of a commons-beanutils dependency library on the server side, which contains an RCE-capable deserialization exploit chain, further exacerbates the issue.

Recommendations For OpenRefine versions prior to 3.7.5, update to version 3.7.5 or later to patch the remote code execution vulnerability. As a temporary workaround, consider restricting access to the mysql-connector-java and disabling the autoDeserialize and queryInterceptors parameters in the connection string to minimize the risk of exploitation. Avoid using the user and dataBaseName parameters in the affected connection string until the issue is resolved.