{"id":"CVE-2023-41887","summary":"Remote Code exec in project import with mysql jdbc url attack","details":"OpenRefine is a powerful free, open source tool for working with messy data. Prior to version 3.7.5, a remote code execution vulnerability allows any unauthenticated user to execute code on the server. Version 3.7.5 has a patch for this issue.","aliases":["GHSA-p3r5-x3hr-gpg5"],"modified":"2026-04-29T12:20:13.418060Z","published":"2023-09-15T20:06:55.728Z","database_specific":{"cwe_ids":["CWE-89"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/41xxx/CVE-2023-41887.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/41xxx/CVE-2023-41887.json"},{"type":"ADVISORY","url":"https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-p3r5-x3hr-gpg5"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-41887"},{"type":"FIX","url":"https://github.com/OpenRefine/OpenRefine/commit/693fde606d4b5b78b16391c29d110389eb605511"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openrefine/openrefine","events":[{"introduced":"0"},{"fixed":"693fde606d4b5b78b16391c29d110389eb605511"}]}],"versions":["2.6-beta.1","2.6-rc.2","2.7","2.7-rc.1","2.7-rc.2","2.8","3.0","3.0-beta","3.0-rc.1","3.1","3.1-beta","3.2","3.2-beta","3.3","3.3-beta","3.3-rc1","3.4-beta","3.5-beta1","3.7-beta2","3.7-beta3","3.7-beta4","3.7-beta5","3.7.0","3.7.1","3.7.2","3.7.3","3.7.4","v2.6-rc1"],"database_specific":{"vanir_signatures_modified":"2026-04-29T12:20:13Z","source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-41887.json","vanir_signatures":[{"target":{"file":"extensions/database/src/com/google/refine/extension/database/pgsql/PgSQLConnectionManager.java","function":"getConnection"},"digest":{"function_hash":"116830974008396641965816380333835860683","length":898},"deprecated":false,"signature_type":"Function","source":"https://github.com/openrefine/openrefine/commit/693fde606d4b5b78b16391c29d110389eb605511","id":"CVE-2023-41887-0f333938","signature_version":"v1"},{"target":{"file":"extensions/database/src/com/google/refine/extension/database/sqlite/SQLiteConnectionManager.java","function":"getDatabaseUrl"},"digest":{"function_hash":"143545153857631119613471487443513737974","length":118},"deprecated":false,"signature_type":"Function","source":"https://github.com/openrefine/openrefine/commit/693fde606d4b5b78b16391c29d110389eb605511","id":"CVE-2023-41887-1d895667","signature_version":"v1"},{"target":{"file":"extensions/database/src/com/google/refine/extension/database/sqlite/SQLiteConnectionManager.java"},"digest":{"threshold":0.9,"line_hashes":["327175276617973140236574177639281372902","133401992607196297346054102790149442849","107966929631629464680997212269128087442","115126231447599679618367908713702056201","107299902640020052692365499410267929566","270127851368886019188868544405153422003","49864026166585960194532247500852524490"]},"deprecated":false,"signature_type":"Line","source":"https://github.com/openrefine/openrefine/commit/693fde606d4b5b78b16391c29d110389eb605511","id":"CVE-2023-41887-1efe4611","signature_version":"v1"},{"target":{"file":"extensions/database/src/com/google/refine/extension/database/mysql/MySQLConnectionManager.java"},"digest":{"threshold":0.9,"line_hashes":["93499350387352243716344320377595364388","267136940035318533730105852909472639718","28535246610280580816079824868767641392","162516013320564762227329392284638372031","339825282732052753538233963653102392762","181659787796074723859127783665090684477","104158748872433304614834733600887157495","36691904264726742742548693439149172372","224134271848151467016820305230625111987","202253408300229988969493250320165698914"]},"deprecated":false,"signature_type":"Line","source":"https://github.com/openrefine/openrefine/commit/693fde606d4b5b78b16391c29d110389eb605511","id":"CVE-2023-41887-23c3b392","signature_version":"v1"},{"target":{"file":"extensions/database/src/com/google/refine/extension/database/mariadb/MariaDBConnectionManager.java"},"digest":{"threshold":0.9,"line_hashes":["51105809074562124868865597715872615067","176662979713726992854720158334792335592","304912067826687412005557055737383317470","207346423794384072692578311523052471007","65194962948448113154920370122671442619","242627320899175369581014955349415517909","72912773042994451738971112840290549233","317973846602094683004465163010862295351","16623836675517359104695111435518884941","1765836474915455923284713653214629070","321880713943457350286048360181421579566"]},"deprecated":false,"signature_type":"Line","source":"https://github.com/openrefine/openrefine/commit/693fde606d4b5b78b16391c29d110389eb605511","id":"CVE-2023-41887-560d9b77","signature_version":"v1"},{"target":{"file":"extensions/database/src/com/google/refine/extension/database/mariadb/MariaDBConnectionManager.java","function":"getConnection"},"digest":{"function_hash":"112013358395284153371966215564124581510","length":931},"deprecated":false,"signature_type":"Function","source":"https://github.com/openrefine/openrefine/commit/693fde606d4b5b78b16391c29d110389eb605511","id":"CVE-2023-41887-6523c90b","signature_version":"v1"},{"target":{"file":"extensions/database/src/com/google/refine/extension/database/pgsql/PgSQLConnectionManager.java","function":"getDatabaseUrl"},"digest":{"function_hash":"186952275256751828015222685798655798773","length":224},"deprecated":false,"signature_type":"Function","source":"https://github.com/openrefine/openrefine/commit/693fde606d4b5b78b16391c29d110389eb605511","id":"CVE-2023-41887-b139c6e6","signature_version":"v1"},{"target":{"file":"extensions/database/src/com/google/refine/extension/database/mysql/MySQLConnectionManager.java","function":"getDatabaseUrl"},"digest":{"function_hash":"114902112724010012119100223268060240339","length":245},"deprecated":false,"signature_type":"Function","source":"https://github.com/openrefine/openrefine/commit/693fde606d4b5b78b16391c29d110389eb605511","id":"CVE-2023-41887-b84c6c8b","signature_version":"v1"},{"target":{"file":"extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java"},"digest":{"threshold":0.9,"line_hashes":["157147032808925695163598661071258904799","44842798372803525762741894040819113427"]},"deprecated":false,"signature_type":"Line","source":"https://github.com/openrefine/openrefine/commit/693fde606d4b5b78b16391c29d110389eb605511","id":"CVE-2023-41887-d15d2307","signature_version":"v1"},{"target":{"file":"extensions/database/src/com/google/refine/extension/database/mysql/MySQLConnectionManager.java","function":"getConnection"},"digest":{"function_hash":"182346756318723732980500139483911676077","length":931},"deprecated":false,"signature_type":"Function","source":"https://github.com/openrefine/openrefine/commit/693fde606d4b5b78b16391c29d110389eb605511","id":"CVE-2023-41887-e13f4ff7","signature_version":"v1"},{"target":{"file":"extensions/database/src/com/google/refine/extension/database/mariadb/MariaDBConnectionManager.java","function":"getDatabaseUrl"},"digest":{"function_hash":"186952275256751828015222685798655798773","length":224},"deprecated":false,"signature_type":"Function","source":"https://github.com/openrefine/openrefine/commit/693fde606d4b5b78b16391c29d110389eb605511","id":"CVE-2023-41887-eabd928c","signature_version":"v1"},{"target":{"file":"extensions/database/src/com/google/refine/extension/database/pgsql/PgSQLConnectionManager.java"},"digest":{"threshold":0.9,"line_hashes":["51105809074562124868865597715872615067","176662979713726992854720158334792335592","304912067826687412005557055737383317470","204201973635903445520940849547246821035","242627320899175369581014955349415517909","72912773042994451738971112840290549233","317973846602094683004465163010862295351","16623836675517359104695111435518884941","1765836474915455923284713653214629070","321880713943457350286048360181421579566"]},"deprecated":false,"signature_type":"Line","source":"https://github.com/openrefine/openrefine/commit/693fde606d4b5b78b16391c29d110389eb605511","id":"CVE-2023-41887-f7294780","signature_version":"v1"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}