CVE-2024-47879: 
Java vulnerability analysis and mitigation

OpenRefine, a free and open-source tool for working with messy data, was found to contain a critical vulnerability (CVE-2024-47879) prior to version 3.8.3. The vulnerability stems from a lack of cross-site request forgery (CSRF) protection on the preview-expression command, which could allow attackers to execute arbitrary code through malicious websites (GitHub Advisory, NVD).

The vulnerability exists in the PreviewExpressionCommand functionality, which lacked CSRF protection despite handling potentially dangerous operations. The command can execute expressions written in GREL, Python, or Clojure without restrictions. The vulnerability received a CVSS v3.1 base score of 8.8 HIGH (NIST) and 7.6 HIGH (GitHub), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L. The issue is classified under CWE-352 (Cross-Site Request Forgery) and CWE-94 (Improper Control of Generation of Code) (NVD).

If exploited, this vulnerability allows attackers to execute arbitrary Clojure or Python code on the target system. The attacker must know a valid project ID of a project containing at least one row and convince the victim to open a malicious webpage. The executed code would run with the same privileges as the OpenRefine user, potentially leading to system compromise (GitHub Advisory).

The vulnerability has been fixed in OpenRefine version 3.8.3. Users are strongly advised to upgrade to this version or later. The fix implements proper CSRF protection for the preview-expression command (NVD, Ubuntu Security).