High severityNVD Advisory· Published Feb 12, 2024· Updated May 7, 2025

OpenRefine JDBC Attack Vulnerability

CVE-2024-23833

Description

OpenRefine is a free, open source power tool for working with messy data and improving it. A jdbc attack vulnerability exists in OpenRefine(version<=3.7.7) where an attacker may construct a JDBC query which may read files on the host filesystem. Due to the newer MySQL driver library in the latest version of OpenRefine (8.0.30), there is no associated deserialization utilization point, so original code execution cannot be achieved, but attackers can use this vulnerability to read sensitive files on the target server. This issue has been addressed in version 3.7.8. Users are advised to upgrade. There are no known workarounds for this vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

OpenRefine <=3.7.7 allows file disclosure via crafted JDBC connections using host parameter injection, fixed in 3.7.8.

CVE-2024-23833: JDBC Attack in OpenRefine

OpenRefine versions up to and including 3.7.7 contain a vulnerability that allows an attacker to read arbitrary files on the host system by constructing a malicious JDBC connection string [1][3]. The root cause lies in MySQLConnectionManager#getConnection where the host parameter is concatenated into the JDBC URL without sanitization. By embedding JDBC connection properties (such as allowLoadLocalInfile=true) within the host field, an attacker can bypass existing fixes for a similar issue (CVE-2023-41887) and force the MySQL driver to read local files when a connection is established [3].

Exploitation requires the ability to specify a JDBC connection within OpenRefine—typically through its database import functionality. An attacker sets up a fake MySQL server or uses a specially crafted host string containing parentheses and key-value pairs (e.g., 127.0.0.1:3306,(allowLoadLocalInfile=true,...),127.0.0.1) [3]. Once a victim or automated process triggers the connection, the MySQL Connector/J 8.0.30 driver interprets the embedded properties, enabling local file reads without needing deserialization attacks [1][3].

The impact is limited to file disclosure; due to the MySQL driver version used in OpenRefine, code execution via deserialization is not achievable [1][3]. However, an attacker could read sensitive files from the server's filesystem, such as configuration files, SSH keys, or application secrets. The vulnerability is rated with a CVSS v3.1 base score of 7.5 (High) on the NVD, reflecting the potential for significant information disclosure [1].

The issue is addressed in OpenRefine 3.7.8 [1][4]. The fix introduces input validation in DatabaseConfiguration#setDatabaseHost, rejecting hosts that contain parentheses or equals signs, which prevents injection of additional JDBC parameters [4]. Users are strongly advised to upgrade to version 3.7.8 or later. No workarounds are available [1].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.openrefine:databaseMaven	< 3.7.8	3.7.8

Affected products

ghsa-coords
pkg:maven/org.openrefine/database
Range: < 3.7.8
Openrefine/Openrefinecpe-rescue
Range: < 3.7.8

Patches

41ccf574847d

Merge pull request from GHSA-6p92-qfqf-qwx4

https://github.com/OpenRefine/OpenRefineAntonin DelpeuchFeb 10, 2024via ghsa

commit

2 files changed · +19 −0

extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java+7 −0 modified

@@ -67,6 +67,13 @@ public String getDatabaseHost() {
     }
 
     public void setDatabaseHost(String databaseServer) {
+        // forbid setting settings inside the host parameter:
+        // https://dev.mysql.com/doc/connector-j/en/connector-j-reference-jdbc-url-format.html
+        if (databaseServer == null ||
+                databaseServer.contains("(") ||
+                databaseServer.contains("=")) {
+            throw new IllegalArgumentException("Invalid host supplied");
+        }
         this.databaseHost = databaseServer;
     }

extensions/database/tests/src/com/google/refine/extension/database/DatabaseConfigurationTest.java+12 −0 modified

@@ -1,5 +1,8 @@
 package com.google.refine.extension.database;
 
+import static org.testng.Assert.assertEquals;
+import static org.testng.Assert.assertThrows;
+
 import org.testng.annotations.Test;
 
 import static org.testng.Assert.assertEquals;
@@ -18,4 +21,13 @@ public void testToURI() {
         // the database name is escaped, preventing the exploit
         assertEquals(url, "jdbc:mysql://my.host/test%3FallowLoadLocalInfile=true%23");
     }
+
+    @Test
+    public void testSetMaliciousHost() {
+        DatabaseConfiguration config = new DatabaseConfiguration();
+        config.setDatabaseType("mysql");
+
+        assertThrows(IllegalArgumentException.class,
+                () -> config.setDatabaseHost("127.0.0.1:3306,(allowLoadLocalInfile=true,allowUrlInLocalInfile=true),127.0.0.1"));
+    }
 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-6p92-qfqf-qwx4ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-23833ghsaADVISORY
github.com/OpenRefine/OpenRefine/commit/41ccf574847d856e22488a7c0987ad8efa12a84aghsax_refsource_MISCWEB
github.com/OpenRefine/OpenRefine/security/advisories/GHSA-6p92-qfqf-qwx4ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000