CVE-2024-47881

Name of the Vulnerable Software and Affected Versions OpenRefine versions 3.4-beta through 3.8.2

Description The issue is related to the database extension in OpenRefine, where the "enable load extension" property can be set for the SQLite integration. This allows an attacker to load and execute arbitrary code on the server by loading local or remote extension DLLs. The attacker needs to have network access to the OpenRefine instance. The vulnerability can be exploited to achieve remote code execution.

Recommendations For OpenRefine versions 3.4-beta through 3.8.2, update to version 3.8.3 to fix the issue. As a temporary workaround, consider setting enable load extension to false or restricting access to the database extension to minimize the risk of exploitation. Additionally, consider implementing mitigation steps such as having users upload the SQLite database file, making the path relative to the workspace directory, adding additional checks to the path, using the READONLY open mode, and enforcing stricter limits.