6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-41401

GHSA ID

GHSA-q7mc-fc87-v7w7

EPSS Score

0.89225%

CWE

CWE-918

Published

8/4/2023

Updated

11/10/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-41401

CVE-2022-41401: OpenRefine Server-Side Request Forgery vulnerability

OpenRefine <= v3.5.2 contains a Server-Side Request Forgery (SSRF) vulnerability, which permits unauthorized users to exploit the system, potentially leading to unauthorized access to internal resources and sensitive file disclosure.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-41401

CVE-2022-41401:

6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-41401

GHSA ID

GHSA-q7mc-fc87-v7w7

EPSS Score

0.89225%

CWE

CWE-918

Published

8/4/2023

Updated

11/10/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.openrefine:main	maven	< 3.6.0	3.6.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from insufficient protocol validation in the URL handling code. The function retrieveContentFromPostRequest accepted arbitrary protocols (like file://) when processing 'download' parameters. The patch added a protocol allowlist check (allowedProtocols) to block non-whitelisted protocols, and the test case added in ImportingUtilitiesTests.java demonstrates blocking 'file://' URLs. The absence of this protocol validation in vulnerable versions allowed access to internal resources via SSRF.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-41401: OpenRefine Server-Side Request Forgery vulnerability

CVE-2022-41401:

6.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

6.5

6.5

Basic Information

Basic Information

CVE-2022-41401: OpenRefine Server-Side Request Forgery vulnerability

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI