OpenRefine 3.8.4

This release fixes a collection of important vulnerabilities in OpenRefine. We encourage users to upgrade swiftly.

To continue using the Google Drive and Google Sheets integration, users need to obtain their own application credentials from the Google API Console.

Note: the vulnerability fixes were originally released as 3.8.3 but that version is dysfunctional due to human errors in the release process. The description of the vulnerabilities is included again here for visibility.

Vulnerabilities in OpenRefine

• PreviewExpressionCommand, which is eval, lacks protection against cross-site request forgery (CSRF).
  CVE-2024-47879, GHSA-3jm4-c6qf-jrh3. Reported by @wandernauta, fix by @wetneb.
• Reflected cross-site scripting vulnerability (XSS) from POST request in ExportRowsCommand. Severity: high. CVE-2024-47880, GHSA-79jv-5226-783f. Reported by @wandernauta, fix by @wetneb.
• Error page lacks escaping, leading to potential XSS on import of malicious project. Severity: moderate. CVE-2024-47882, GHSA-j8hp-f2mj-586g
• Directory slip in LoadLanguageCommand. Severity: high. GHSA-qfwq-6jh6-8xx4. Reported and fixed by @wetneb.

Vulnerabilities in bundled extensions

• gdata: Reflected cross-site scripting vulnerability (XSS) in authorized.vt. CVE-2024-47878, GHSA-pw3x-c5vp-mfc3. Reported by @wandernauta, fix by @wetneb.
• gdata: leak of OAuth application credentials. Severity: high. GHSA-3pg4-qwc8-426r. Reported and fixed by @wetneb.
• database: SQLite integration allows filesystem access, remote code execution (RCE). Severity: high. CVE-2024-47881, GHSA-87cf-j763-vvh8. Reported by @wandernauta, fix by @wetneb.

Vulnerabilities in Butterfly (web framework used in OpenRefine)

• Path/URL confusion in resource handling leading to multiple weaknesses. Severity: critical. CVE-2024-47883. GHSA-3p8v-w8mr-m3x8. Reported by @wandernauta, fix by @wetneb.
• parseJSON, getJSON functions eval malicious input, leading to remote code execution (RCE). Severity: moderate. GHSA-mpcw-3j5p-p99x. Reported by @wandernauta, fix by @wetneb.

Special thanks to @wandernauta for the hard work that went into analyzing and reporting those vulnerabilities responsibly and to @tfmorris for reviewing mitigations.