CVE-2024-23833: 
Java vulnerability analysis and mitigation

A JDBC attack vulnerability was discovered in OpenRefine versions 3.7.7 and earlier. The vulnerability allows an attacker to construct a JDBC query that can read files on the host filesystem. This vulnerability was disclosed on February 11, 2024, and affects all versions of OpenRefine up to and including version 3.7.7 (GitHub Advisory, NVD).

The vulnerability is a bypass of the previous CVE-2023-41887 vulnerability fix. It exploits the official MySQL syntax features in the Host parameter configuration during JDBC connection. The vulnerability exists in the com.google.refine.extension.database.mysql.MySQLConnectionManager#getConnection method where the Host part is directly concatenated without proper verification. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (GitHub Advisory).

Due to the newer MySQL driver library (version 8.0.30) in the latest version of OpenRefine, there is no associated deserialization utilization point, preventing code execution. However, attackers can exploit this vulnerability to read sensitive files on the target server (GitHub Advisory).

The vulnerability has been patched in OpenRefine version 3.7.8. Users are advised to upgrade to this version or later. The fix includes implementing proper validation of the database host parameter to prevent malicious configurations (GitHub Advisory, GitHub Patch).