Source: openrefine Version: 3.7.7-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for openrefine. Markus, please adjust severity if you think grave/RC severity is not appropriate. openrefine updates were batches previously as well just in point release, that might be enough here as well. CVE-2024-23833[0]: | OpenRefine is a free, open source power tool for working with messy | data and improving it. A jdbc attack vulnerability exists in | OpenRefine(version<=3.7.7) where an attacker may construct a JDBC | query which may read files on the host filesystem. Due to the newer | MySQL driver library in the latest version of OpenRefine (8.0.30), | there is no associated deserialization utilization point, so | original code execution cannot be achieved, but attackers can use | this vulnerability to read sensitive files on the target server. | This issue has been addressed in version 3.7.8. Users are advised to | upgrade. There are no known workarounds for this vulnerability. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-23833 https://www.cve.org/CVERecord?id=CVE-2024-23833 [1] https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-6p92-qfqf-qwx4 [2] https://github.com/OpenRefine/OpenRefine/commit/41ccf574847d856e22488a7c0987ad8efa12a84a Please adjust the affected versions in the BTS as needed. Regards, Salvatore
