{"id":"CVE-2023-41886","summary":"OpenRefine vulnerable to arbitrary file read in project import with mysql jdbc url attack","details":"OpenRefine is a powerful free, open source tool for working with messy data. Prior to version 3.7.5, an arbitrary file read vulnerability allows any unauthenticated user to read a file on a server. Version 3.7.5 fixes this issue.","aliases":["GHSA-qqh2-wvmv-h72m"],"modified":"2026-04-29T12:20:13.738495Z","published":"2023-09-15T20:05:20.651Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-89"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/41xxx/CVE-2023-41886.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/41xxx/CVE-2023-41886.json"},{"type":"ADVISORY","url":"https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-qqh2-wvmv-h72m"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-41886"},{"type":"FIX","url":"https://github.com/OpenRefine/OpenRefine/commit/2de1439f5be63d9d0e89bbacbd24fa28c8c3e29d"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openrefine/openrefine","events":[{"introduced":"0"},{"fixed":"2de1439f5be63d9d0e89bbacbd24fa28c8c3e29d"}]}],"versions":["2.6-beta.1","2.6-rc.2","2.7","2.7-rc.1","2.7-rc.2","2.8","3.0","3.0-beta","3.0-rc.1","3.1","3.1-beta","3.2","3.2-beta","3.3","3.3-beta","3.3-rc1","3.4-beta","3.5-beta1","3.7-beta2","v2.6-rc1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-41886.json","vanir_signatures_modified":"2026-04-29T12:20:13Z","vanir_signatures":[{"digest":{"length":931,"function_hash":"112013358395284153371966215564124581510"},"deprecated":false,"target":{"file":"extensions/database/src/com/google/refine/extension/database/mariadb/MariaDBConnectionManager.java","function":"getConnection"},"signature_type":"Function","id":"CVE-2023-41886-0a644659","source":"https://github.com/openrefine/openrefine/commit/2de1439f5be63d9d0e89bbacbd24fa28c8c3e29d","signature_version":"v1"},{"digest":{"line_hashes":["327175276617973140236574177639281372902","133401992607196297346054102790149442849","107966929631629464680997212269128087442","115126231447599679618367908713702056201","107299902640020052692365499410267929566","270127851368886019188868544405153422003","49864026166585960194532247500852524490"],"threshold":0.9},"deprecated":false,"target":{"file":"extensions/database/src/com/google/refine/extension/database/sqlite/SQLiteConnectionManager.java"},"signature_type":"Line","id":"CVE-2023-41886-1579884e","source":"https://github.com/openrefine/openrefine/commit/2de1439f5be63d9d0e89bbacbd24fa28c8c3e29d","signature_version":"v1"},{"digest":{"line_hashes":["51105809074562124868865597715872615067","176662979713726992854720158334792335592","304912067826687412005557055737383317470","204201973635903445520940849547246821035","242627320899175369581014955349415517909","72912773042994451738971112840290549233","317973846602094683004465163010862295351","16623836675517359104695111435518884941","1765836474915455923284713653214629070","321880713943457350286048360181421579566"],"threshold":0.9},"deprecated":false,"target":{"file":"extensions/database/src/com/google/refine/extension/database/pgsql/PgSQLConnectionManager.java"},"signature_type":"Line","id":"CVE-2023-41886-1ac9f05f","source":"https://github.com/openrefine/openrefine/commit/2de1439f5be63d9d0e89bbacbd24fa28c8c3e29d","signature_version":"v1"},{"digest":{"line_hashes":["51105809074562124868865597715872615067","176662979713726992854720158334792335592","304912067826687412005557055737383317470","207346423794384072692578311523052471007","65194962948448113154920370122671442619","242627320899175369581014955349415517909","72912773042994451738971112840290549233","317973846602094683004465163010862295351","16623836675517359104695111435518884941","1765836474915455923284713653214629070","321880713943457350286048360181421579566"],"threshold":0.9},"deprecated":false,"target":{"file":"extensions/database/src/com/google/refine/extension/database/mariadb/MariaDBConnectionManager.java"},"signature_type":"Line","id":"CVE-2023-41886-2c6d149b","source":"https://github.com/openrefine/openrefine/commit/2de1439f5be63d9d0e89bbacbd24fa28c8c3e29d","signature_version":"v1"},{"digest":{"line_hashes":["93499350387352243716344320377595364388","267136940035318533730105852909472639718","28535246610280580816079824868767641392","162516013320564762227329392284638372031","339825282732052753538233963653102392762","181659787796074723859127783665090684477","104158748872433304614834733600887157495","36691904264726742742548693439149172372","224134271848151467016820305230625111987","202253408300229988969493250320165698914"],"threshold":0.9},"deprecated":false,"target":{"file":"extensions/database/src/com/google/refine/extension/database/mysql/MySQLConnectionManager.java"},"signature_type":"Line","id":"CVE-2023-41886-657b77c8","source":"https://github.com/openrefine/openrefine/commit/2de1439f5be63d9d0e89bbacbd24fa28c8c3e29d","signature_version":"v1"},{"digest":{"length":898,"function_hash":"116830974008396641965816380333835860683"},"deprecated":false,"target":{"file":"extensions/database/src/com/google/refine/extension/database/pgsql/PgSQLConnectionManager.java","function":"getConnection"},"signature_type":"Function","id":"CVE-2023-41886-83153774","source":"https://github.com/openrefine/openrefine/commit/2de1439f5be63d9d0e89bbacbd24fa28c8c3e29d","signature_version":"v1"},{"digest":{"length":224,"function_hash":"186952275256751828015222685798655798773"},"deprecated":false,"target":{"file":"extensions/database/src/com/google/refine/extension/database/pgsql/PgSQLConnectionManager.java","function":"getDatabaseUrl"},"signature_type":"Function","id":"CVE-2023-41886-ba648e21","source":"https://github.com/openrefine/openrefine/commit/2de1439f5be63d9d0e89bbacbd24fa28c8c3e29d","signature_version":"v1"},{"digest":{"length":245,"function_hash":"114902112724010012119100223268060240339"},"deprecated":false,"target":{"file":"extensions/database/src/com/google/refine/extension/database/mysql/MySQLConnectionManager.java","function":"getDatabaseUrl"},"signature_type":"Function","id":"CVE-2023-41886-c02a138c","source":"https://github.com/openrefine/openrefine/commit/2de1439f5be63d9d0e89bbacbd24fa28c8c3e29d","signature_version":"v1"},{"digest":{"length":118,"function_hash":"143545153857631119613471487443513737974"},"deprecated":false,"target":{"file":"extensions/database/src/com/google/refine/extension/database/sqlite/SQLiteConnectionManager.java","function":"getDatabaseUrl"},"signature_type":"Function","id":"CVE-2023-41886-c5929cbd","source":"https://github.com/openrefine/openrefine/commit/2de1439f5be63d9d0e89bbacbd24fa28c8c3e29d","signature_version":"v1"},{"digest":{"length":931,"function_hash":"182346756318723732980500139483911676077"},"deprecated":false,"target":{"file":"extensions/database/src/com/google/refine/extension/database/mysql/MySQLConnectionManager.java","function":"getConnection"},"signature_type":"Function","id":"CVE-2023-41886-d1b29ae3","source":"https://github.com/openrefine/openrefine/commit/2de1439f5be63d9d0e89bbacbd24fa28c8c3e29d","signature_version":"v1"},{"digest":{"length":224,"function_hash":"186952275256751828015222685798655798773"},"deprecated":false,"target":{"file":"extensions/database/src/com/google/refine/extension/database/mariadb/MariaDBConnectionManager.java","function":"getDatabaseUrl"},"signature_type":"Function","id":"CVE-2023-41886-dff07a1f","source":"https://github.com/openrefine/openrefine/commit/2de1439f5be63d9d0e89bbacbd24fa28c8c3e29d","signature_version":"v1"},{"digest":{"line_hashes":["157147032808925695163598661071258904799","44842798372803525762741894040819113427"],"threshold":0.9},"deprecated":false,"target":{"file":"extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java"},"signature_type":"Line","id":"CVE-2023-41886-e49b13d4","source":"https://github.com/openrefine/openrefine/commit/2de1439f5be63d9d0e89bbacbd24fa28c8c3e29d","signature_version":"v1"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}