彙總 openrefine 相關全部產品的 CVE 與安全漏洞情報,包括 CVSS、EPSS、公開時間與漏洞情報資料。
常見弱點模式包括 跨站腳本、SSRF、CSRF與XXE,在 軟體部署與生產負載 使用場景中可能帶來 檔案覆寫、工作階段劫持與資料外洩 等風險。
相關漏洞資料主要來源於公開漏洞披露與安全公告,可用於評估歷史漏洞暴露面與修補優先順序。
| CVE | 摘要 | 來源 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|---|
| CVE-2024-49760 | OpenRefine is a free, open source tool for working with messy data. The load-language command expects a `lang` parameter from which it constructs the path of the localization file to load, of the form `translations-$LANG.json`. But when doing so in versions prior to 3.8.3, it does not check that the resulting path is in the expected directory, which means that this command could be exploited to read other JSON files on the file system. Version 3.8.3 addresses this issue. | [email protected] | 7.1 | 0.60% | 2024-10-24 | 2026-06-17 |
| CVE-2024-47883 | The OpenRefine fork of the MIT Simile Butterfly server is a modular web application framework. The Butterfly framework uses the `java.net.URL` class to refer to (what are expected to be) local resource files, like images or templates. This works: "opening a connection" to these URLs opens the local file. However, prior to version 1.2.6, if a `file:/` URL is directly given where a relative path (resource name) is expected, this is also accepted in some code paths; the app then fetches the file, f | [email protected] | 9.1 | 1.60% | 2024-10-24 | 2026-06-17 |
| CVE-2024-47882 | OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the built-in "Something went wrong!" error page includes the exception message and exception traceback without escaping HTML tags, enabling injection into the page if an attacker can reliably produce an error with an attacker-influenced message. It appears that the only way to reach this code in OpenRefine itself is for an attacker to somehow convince a victim to import a malicious file, which may be diff | [email protected] | 5.9 | 0.49% | 2024-10-24 | 2026-06-17 |
| CVE-2024-47881 | OpenRefine is a free, open source tool for working with messy data. Starting in version 3.4-beta and prior to version 3.8.3, in the `database` extension, the "enable_load_extension" property can be set for the SQLite integration, enabling an attacker to load (local or remote) extension DLLs and so run arbitrary code on the server. The attacker needs to have network access to the OpenRefine instance. Version 3.8.3 fixes this issue. | [email protected] | 8.1 | 0.66% | 2024-10-24 | 2026-06-17 |
| CVE-2024-47880 | OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the `export-rows` command can be used in such a way that it reflects part of the request verbatim, with a Content-Type header also taken from the request. An attacker could lead a user to a malicious page that submits a form POST that contains embedded JavaScript code. This code would then be included in the response, along with an attacker-controlled `Content-Type` header, and so potentially executed in | [email protected] | 8.1 | 0.36% | 2024-10-24 | 2026-06-17 |
| CVE-2024-47879 | OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, lack of cross-site request forgery protection on the `preview-expression` command means that visiting a malicious website could cause an attacker-controlled expression to be executed. The expression can contain arbitrary Clojure or Python code. The attacker must know a valid project ID of a project that contains at least one row, and the attacker must convince the victim to open a malicious webpage. Versi | [email protected] | 7.6 | 0.39% | 2024-10-24 | 2026-06-17 |
| CVE-2024-47878 | OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the `/extension/gdata/authorized` endpoint includes the `state` GET parameter verbatim in a `<script>` tag in the output, so without escaping. An attacker could lead or redirect a user to a crafted URL containing JavaScript code, which would then cause that code to be executed in the victim's browser as if it was part of OpenRefine. Version 3.8.3 fixes this issue. | [email protected] | 8.1 | 0.44% | 2024-10-24 | 2026-06-17 |
| CVE-2024-23833 | OpenRefine is a free, open source power tool for working with messy data and improving it. A jdbc attack vulnerability exists in OpenRefine(version<=3.7.7) where an attacker may construct a JDBC query which may read files on the host filesystem. Due to the newer MySQL driver library in the latest version of OpenRefine (8.0.30), there is no associated deserialization utilization point, so original code execution cannot be achieved, but attackers can use this vulnerability to read sensitive files | [email protected] | 7.5 | 0.99% | 2024-02-12 | 2026-06-17 |
| CVE-2023-41887 | OpenRefine is a powerful free, open source tool for working with messy data. Prior to version 3.7.5, a remote code execution vulnerability allows any unauthenticated user to execute code on the server. Version 3.7.5 has a patch for this issue. | [email protected] | 9.8 | 45.47% | 2023-09-15 | 2026-06-17 |
| CVE-2023-41886 | OpenRefine is a powerful free, open source tool for working with messy data. Prior to version 3.7.5, an arbitrary file read vulnerability allows any unauthenticated user to read a file on a server. Version 3.7.5 fixes this issue. | [email protected] | 7.5 | 0.83% | 2023-09-15 | 2026-06-17 |
| CVE-2022-41401 | OpenRefine <= v3.5.2 contains a Server-Side Request Forgery (SSRF) vulnerability, which permits unauthorized users to exploit the system, potentially leading to unauthorized access to internal resources and sensitive file disclosure. | [email protected] | 6.5 | 1.16% | 2023-08-04 | 2026-06-17 |
| CVE-2023-37476 | OpenRefine is a free, open source tool for data processing. A carefully crafted malicious OpenRefine project tar file can be used to trigger arbitrary code execution in the context of the OpenRefine process if a user can be convinced to import it. The vulnerability exists in all versions of OpenRefine up to and including 3.7.3. Users should update to OpenRefine 3.7.4 as soon as possible. Users unable to upgrade should only import OpenRefine projects from trusted sources. | [email protected] | 5.5 | 0.63% | 2023-07-17 | 2026-06-17 |
| CVE-2019-3580 | OpenRefine through 3.1 allows arbitrary file write because Directory Traversal can occur during the import of a crafted project file. | [email protected] | 7.5 | 1.85% | 2019-01-02 | 2026-06-16 |
| CVE-2018-20157 | The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files. | [email protected] | 7.5 | 1.74% | 2018-12-14 | 2026-06-16 |
| CVE-2018-19859 | OpenRefine before 3.2 beta allows directory traversal via a relative pathname in a ZIP archive. | [email protected] | 6.5 | 2.49% | 2018-12-05 | 2026-06-16 |