CVE-2023-41886: 
Java vulnerability analysis and mitigation

OpenRefine, a powerful free and open-source tool for working with messy data, was found to contain an arbitrary file read vulnerability (CVE-2023-41886) prior to version 3.7.5. The vulnerability was discovered and disclosed in September 2023, affecting all versions up to 3.7.4. This security issue allowed any unauthenticated user to read files on the server where OpenRefine was installed (GitHub Advisory).

The vulnerability stems from improper handling of MySQL JDBC URL connections in the database import functionality. The issue particularly affects the database configuration component, where the way to obtain the database URL in MySQLConnectionManager.java was vulnerable to JDBC URL manipulation. The severity of the vulnerability has been rated as HIGH with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating network accessibility, low attack complexity, and no required privileges or user interaction (NVD).

The vulnerability allows an unauthenticated attacker to read arbitrary files on the server where OpenRefine is installed. The impact varies depending on the version of mysql-connector being used. For mysql-connector-java versions above 8.14, attackers need to explicitly set allowLoadLocalInfile to true in the connection string, while for versions 8.14 and below, this setting is true by default, making exploitation more straightforward (GitHub Advisory).

The vulnerability has been fixed in OpenRefine version 3.7.5. Users are strongly advised to upgrade to this version or later. The fix involves proper URI encoding of database parameters to prevent URL manipulation attacks (GitHub Commit).