CVE-2024-23833

Name of the Vulnerable Software and Affected Versions OpenRefine versions <= 3.7.7

Description A jdbc attack vulnerability exists in OpenRefine where an attacker may construct a JDBC query to read files on the host filesystem. This issue allows attackers to read sensitive files on the target server, but due to the newer MySQL driver library in the latest version of OpenRefine, original code execution cannot be achieved.

Recommendations For OpenRefine versions <= 3.7.7, upgrade to version 3.7.8 to resolve the issue. As a temporary workaround, consider restricting access to the JDBC connection to minimize the risk of exploitation. Avoid using the allowLoadLocalInfile and allowUrlInLocalInfile parameters in the JDBC connection string until the issue is resolved.