Vulnerability Description
OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the built-in "Something went wrong!" error page includes the exception message and exception traceback without escaping HTML tags, enabling injection into the page if an attacker can reliably produce an error with an attacker-influenced message. It appears that the only way to reach this code in OpenRefine itself is for an attacker to somehow convince a victim to import a malicious file, which may be difficult. However, out-of-tree extensions may add their own calls to `respondWithErrorPage`. Version 3.8.3 has a fix for this issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openrefine | Openrefine | < 3.8.3 |
Related Weaknesses (CWE)
References
- https://github.com/OpenRefine/OpenRefine/blob/master/main/webapp/modules/core/erProduct
- https://github.com/OpenRefine/OpenRefine/commit/85594e75e7b36025f7b6a67dcd3ec253Patch
- https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-j8hp-f2mj-586gExploitThird Party Advisory
FAQ
What is CVE-2024-47882?
CVE-2024-47882 is a vulnerability with a CVSS score of 5.9 (MEDIUM). OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the built-in "Something went wrong!" error page includes the exception message and exception traceback witho...
How severe is CVE-2024-47882?
CVE-2024-47882 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-47882?
Check the references section above for vendor advisories and patch information. Affected products include: Openrefine Openrefine.