Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS02cDkyLXFmcWYtcXd4NM4AA5N0

OpenRefine JDBC Attack Vulnerability

Summary

A jdbc attack vulnerability exists in OpenRefine(version<=3.7.7)

Details

Vulnerability Recurrence

Start by constructing a malicious MySQL Server (using the open source project MySQL_Fake_Server here).
image
Then go to the Jdbc connection trigger vulnerability
image

Vulnerability Analysis

This vulnerability is the bypass of CVE-2023-41887 vulnerability repair, the main vulnerability principle is actually the use of official syntax features, as shown in the following figure, when the connection we can perform parameter configuration in the Host part
image
In com.google.refine.extension.database.mysql.MySQLConnectionManager#getConnection method in the final JdbcUrl structure
image
That is, in the toURI method call here, you can see that the Host part is directly concatenated for any verification, which can be bypassed using the address feature of mysql
image
That is, in the toURI method call here, you can see that the Host part is directly concatenated for any verification, which can be bypassed using the address feature of mysql
image

PoC

Complete instructions, including specific configuration details, to reproduce the vulnerability.

Type: MySQL
Host: 127.0.0.1:3306,(host=127.0.0.1,port=3306,autoDeserialize=true,allowLoadLocalInfile=true,allowUrlInLocalInfile=true,allowLoadLocalInfileInPath=true),127.0.0.1
Port: 3306
User: win_hosts
Database: test

Impact

Due to the newer MySQL driver library in the latest version of OpenRefine (8.0.30), there is no associated deserialization utilization point, so original code execution cannot be achieved, but attackers can use this vulnerability to read sensitive files on the target server.

Permalink: https://github.com/advisories/GHSA-6p92-qfqf-qwx4
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02cDkyLXFmcWYtcXd4NM4AA5N0
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 3 months ago
Updated: 3 months ago


CVSS Score: 7.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Identifiers: GHSA-6p92-qfqf-qwx4, CVE-2024-23833
References: Repository: https://github.com/OpenRefine/OpenRefine
Blast Radius: 1.0

Affected Packages

maven:org.openrefine:database
Dependent packages: 0
Dependent repositories: 0
Downloads:
Affected Version Ranges: <= 3.7.7
Fixed in: 3.7.8
All affected versions: 3.6.0, 3.6.1, 3.6.2, 3.7.0, 3.7.2
All unaffected versions: 3.8.0