Platform
java
Component
org.openrefine:main
Fixed in
3.8.4
3.8.3
CVE-2024-47879 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting OpenRefine versions up to 3.8.2. This flaw allows an attacker to execute arbitrary Clojure or Python code within the OpenRefine application by tricking a user into visiting a malicious website. The vulnerability stems from a lack of CSRF protection on the preview-expression command and is mitigated by upgrading to version 3.8.3.
The impact of this vulnerability is significant due to the ability to execute arbitrary code. An attacker could craft a malicious website that, when visited by an authenticated OpenRefine user, would silently execute attacker-controlled code. This code could potentially be used to modify data within the OpenRefine project, exfiltrate sensitive information, or even gain further access to the underlying system, depending on the permissions of the OpenRefine user and the server environment. The requirement for a valid project ID limits the scope somewhat, but the potential for data manipulation and code execution remains a serious concern.
This vulnerability was publicly disclosed on 2024-10-24. There are currently no known public exploits or active campaigns targeting this specific vulnerability. It is not listed on the CISA KEV catalog at the time of writing. The ease of exploitation, combined with the potential impact, suggests that this vulnerability should be prioritized for remediation.
Exploit Status
EPSS
0.14% (33% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-47879 is to upgrade OpenRefine to version 3.8.3 or later, which includes the necessary CSRF protection. If upgrading immediately is not possible, consider implementing a Content Security Policy (CSP) to restrict the execution of inline scripts and other potentially malicious content. While not a complete solution, this can reduce the attack surface. Additionally, educate users about the risks of visiting untrusted websites and opening suspicious links. After upgrading, confirm the fix by attempting to trigger the preview-expression command via a crafted HTTP request and verifying that it is properly protected against CSRF.
Actualice OpenRefine a la versión 3.8.3 o superior. Esta versión corrige la vulnerabilidad de Cross-Site Request Forgery (CSRF) en el comando `preview-expression`. La actualización evitará que un atacante ejecute código arbitrario a través de una página web maliciosa.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-47879 is a Cross-Site Request Forgery (CSRF) vulnerability in OpenRefine versions up to 3.8.2, allowing attackers to execute arbitrary code.
You are affected if you are using OpenRefine version 3.8.2 or earlier. Upgrade to 3.8.3 or later to resolve the issue.
Upgrade OpenRefine to version 3.8.3 or later. Consider implementing a Content Security Policy (CSP) as an interim measure.
There are currently no known public exploits or active campaigns targeting this vulnerability, but the potential impact warrants prompt remediation.
Refer to the OpenRefine security advisory for details: [https://openrefine.org/security/advisories/CVE-2024-47879](https://openrefine.org/security/advisories/CVE-2024-47879)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.