GHSA-6P92-QFQF-QWX4
Vulnerability from github – Published: 2024-02-12 15:08 – Updated: 2024-02-12 21:35Summary
A jdbc attack vulnerability exists in OpenRefine(version<=3.7.7)
Details
Vulnerability Recurrence
Start by constructing a malicious MySQL Server (using the open source project MySQL_Fake_Server here).
Then go to the Jdbc connection trigger vulnerability
Vulnerability Analysis
This vulnerability is the bypass of CVE-2023-41887 vulnerability repair, the main vulnerability principle is actually the use of official syntax features, as shown in the following figure, when the connection we can perform parameter configuration in the Host part
In com.google.refine.extension.database.mysql.MySQLConnectionManager#getConnection method in the final JdbcUrl structure
That is, in the toURI method call here, you can see that the Host part is directly concatenated for any verification, which can be bypassed using the address feature of mysql
That is, in the toURI method call here, you can see that the Host part is directly concatenated for any verification, which can be bypassed using the address feature of mysql
PoC
Complete instructions, including specific configuration details, to reproduce the vulnerability.
Type: MySQL
Host: 127.0.0.1:3306,(host=127.0.0.1,port=3306,autoDeserialize=true,allowLoadLocalInfile=true,allowUrlInLocalInfile=true,allowLoadLocalInfileInPath=true),127.0.0.1
Port: 3306
User: win_hosts
Database: test
Impact
Due to the newer MySQL driver library in the latest version of OpenRefine (8.0.30), there is no associated deserialization utilization point, so original code execution cannot be achieved, but attackers can use this vulnerability to read sensitive files on the target server.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.7.7"
},
"package": {
"ecosystem": "Maven",
"name": "org.openrefine:database"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.7.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-23833"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2024-02-12T15:08:48Z",
"nvd_published_at": "2024-02-12T21:15:08Z",
"severity": "HIGH"
},
"details": "### Summary\nA jdbc attack vulnerability exists in OpenRefine(version\u003c=3.7.7)\n\n### Details\n#### Vulnerability Recurrence\nStart by constructing a malicious MySQL Server (using the open source project MySQL_Fake_Server here).\n\nThen go to the Jdbc connection trigger vulnerability\n\n#### Vulnerability Analysis\nThis vulnerability is the bypass of `CVE-2023-41887` vulnerability repair, the main vulnerability principle is actually the use of official syntax features, as shown in the following figure, when the connection we can perform parameter configuration in the Host part\n\nIn `com.google.refine.extension.database.mysql.MySQLConnectionManager#getConnection` method in the final JdbcUrl structure\n\nThat is, in the ` toURI` method call here, you can see that the Host part is directly concatenated for any verification, which can be bypassed using the address feature of mysql\n\nThat is, in the toURI method call here, you can see that the Host part is directly concatenated for any verification, which can be bypassed using the address feature of mysql\n\n\n\n\n### PoC\n_Complete instructions, including specific configuration details, to reproduce the vulnerability._\n```\nType: MySQL\nHost: 127.0.0.1:3306,(host=127.0.0.1,port=3306,autoDeserialize=true,allowLoadLocalInfile=true,allowUrlInLocalInfile=true,allowLoadLocalInfileInPath=true),127.0.0.1\nPort: 3306\nUser: win_hosts\nDatabase: test\n```\n\n\n### Impact \nDue to the newer MySQL driver library in the latest version of OpenRefine (8.0.30), there is no associated deserialization utilization point, so original code execution cannot be achieved, but attackers can use this vulnerability to read sensitive files on the target server.\n",
"id": "GHSA-6p92-qfqf-qwx4",
"modified": "2024-02-12T21:35:52Z",
"published": "2024-02-12T15:08:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-6p92-qfqf-qwx4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23833"
},
{
"type": "WEB",
"url": "https://github.com/OpenRefine/OpenRefine/commit/41ccf574847d856e22488a7c0987ad8efa12a84a"
},
{
"type": "PACKAGE",
"url": "https://github.com/OpenRefine/OpenRefine"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "OpenRefine JDBC Attack Vulnerability"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.