CVE-2023-41887: 
Java vulnerability analysis and mitigation

OpenRefine, a free and open-source tool for working with messy data, was found to contain a remote code execution vulnerability (CVE-2023-41887) prior to version 3.7.5. The vulnerability allowed any unauthenticated user to execute arbitrary code on the server. The issue was discovered and disclosed in September 2023, affecting all versions of OpenRefine up to version 3.7.4 (GitHub Advisory).

The vulnerability stems from improper handling of JDBC URL components in the database extension. When using MySQL JDBC to connect to a database, the system was vulnerable to JDBC URL attacks. The issue could be exploited through MySQL deserialization if the mysql-connector-java version used on the server side was less than 8.20. The vulnerability has a CVSS v3.1 base score of 9.8 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction (Ubuntu CVE).

The vulnerability allows unauthenticated attackers to execute arbitrary code on the server, potentially leading to complete system compromise. The critical CVSS score of 9.8 indicates severe potential impacts on system confidentiality, integrity, and availability (NVD).

The vulnerability was patched in OpenRefine version 3.7.5. Users are strongly advised to upgrade to this version or later. The fix involves properly escaping JDBC URL components in the database extension (GitHub Patch).