Published October 24, 2024
| Version 3.8.4
Software
Open
OpenRefine/OpenRefine: OpenRefine 3.8.4
Authors/Creators
- Antonin Delpeuch
- Tom Morris
- David Huynh
- Weblate (bot)1
- Stefano Mazzocchi2
- Jacky
- Thad Guidry
- elebitzero
- Owen Stephens3
- Isao Matsunami
- Iain Sproat
- Albin Larsson
- Silvério Santos
- allanaaa
- kushthedude4
- Sandra Fauconnier5
- Ekta Mishra6
- Martin Magdinier
- Antoine Beaubien7
- Lu Liu8
- Fabio Tacchelli9
- Joanne Ong
- Florian Giroud
- Allan Nordhøy10
- Luca Martinelli [Sannita]
- Elroy Kanye11
- Mathieu Saby
- Lisa Chandra
- 1. @WeblateOrg
- 2. Singularity6
- 3. Owen Stephens Consulting
- 4. Indian Institute Of Technology , Jodhpur
- 5. Wikimedia movement
- 6. @PhonePe
- 7. Services informatiques Beaubien
- 8. UESTC
- 9. @sirensolutions
- 10. Another Agency
- 11. @OpenRefine @campus-experts @skye8-tech @fossasia @Kovers @Kanyelings
Description
This release fixes a collection of important vulnerabilities in OpenRefine. We encourage users to upgrade swiftly.
To continue using the Google Drive and Google Sheets integration, users need to obtain their own application credentials from the Google API Console.
Note: the vulnerability fixes were originally released as 3.8.3 but that version is dysfunctional due to human errors in the release process. The description of the vulnerabilities is included again here for visibility.
Vulnerabilities in OpenRefine
- PreviewExpressionCommand, which is eval, lacks protection against cross-site request forgery (CSRF). CVE-2024-47879, GHSA-3jm4-c6qf-jrh3. Reported by @wandernauta, fix by @wetneb.
- Reflected cross-site scripting vulnerability (XSS) from POST request in ExportRowsCommand. Severity: high. CVE-2024-47880, GHSA-79jv-5226-783f. Reported by @wandernauta, fix by @wetneb.
- Error page lacks escaping, leading to potential XSS on import of malicious project. Severity: moderate. CVE-2024-47882, GHSA-j8hp-f2mj-586g
- Directory slip in LoadLanguageCommand. Severity: high. GHSA-qfwq-6jh6-8xx4. Reported and fixed by @wetneb.
Vulnerabilities in bundled extensions
- gdata: Reflected cross-site scripting vulnerability (XSS) in
authorized.vt. CVE-2024-47878, GHSA-pw3x-c5vp-mfc3. Reported by @wandernauta, fix by @wetneb. - gdata: leak of OAuth application credentials. Severity: high. GHSA-3pg4-qwc8-426r. Reported and fixed by @wetneb.
- database: SQLite integration allows filesystem access, remote code execution (RCE). Severity: high. CVE-2024-47881, GHSA-87cf-j763-vvh8. Reported by @wandernauta, fix by @wetneb.
Vulnerabilities in Butterfly (web framework used in OpenRefine)
- Path/URL confusion in resource handling leading to multiple weaknesses. Severity: critical. CVE-2024-47883. GHSA-3p8v-w8mr-m3x8. Reported by @wandernauta, fix by @wetneb.
- parseJSON, getJSON functions eval malicious input, leading to remote code execution (RCE). Severity: moderate. GHSA-mpcw-3j5p-p99x. Reported by @wandernauta, fix by @wetneb.
Special thanks to @wandernauta for the hard work that went into analyzing and reporting those vulnerabilities responsibly and to @tfmorris for reviewing mitigations.
Files
OpenRefine/OpenRefine-3.8.4.zip
Files
(8.0 MB)
| Name | Size | Download all |
|---|---|---|
|
md5:794f13368dca3bcf33634c14ea9ae129
|
8.0 MB | Preview Download |
Additional details
Related works
- Is supplement to
- Software: https://github.com/OpenRefine/OpenRefine/tree/3.8.4 (URL)