CVE-2024-47881: OpenRefine's SQLite integration allows filesystem access, remote code execution (RCE)

October 24, 2024

In the database extension, the “enable_load_extension” property can be set for the SQLite integration, enabling an attacker to load (local or remote) extension DLLs and so run arbitrary code on the server.

The attacker needs to have network access to the OpenRefine instance.

References

github.com/OpenRefine/OpenRefine
github.com/OpenRefine/OpenRefine/commit/853a1d91662e7dc278a9a94a38be58de04494056
github.com/OpenRefine/OpenRefine/security/advisories/GHSA-87cf-j763-vvh8
github.com/advisories/GHSA-87cf-j763-vvh8
nvd.nist.gov/vuln/detail/CVE-2024-47881

Detect and mitigate CVE-2024-47881 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →