Plattform
java
Komponente
org.openrefine:openrefine
Behoben in
3.8.4
3.8.3
CVE-2024-49760 describes a Path Traversal vulnerability within OpenRefine, a powerful tool for data cleaning and transformation. This flaw allows attackers to potentially read arbitrary JSON files from the server's file system. The vulnerability impacts versions of OpenRefine up to and including 3.8.2. A fix is available in version 3.8.3.
The core of the vulnerability lies in the load-language command, which constructs file paths based on a user-supplied lang parameter. Critically, OpenRefine fails to validate that the resulting path remains within the expected directory. An attacker can craft a malicious lang value containing path traversal sequences (e.g., ../..) to escape the intended directory and access files outside of it. This could lead to the exposure of sensitive configuration files, database credentials, or other critical data stored on the server. The blast radius extends to any data accessible via the file system, depending on the server's configuration and permissions.
This vulnerability was publicly disclosed on 2024-10-24. No known public exploits or active campaigns have been reported as of this writing, but the ease of exploitation makes it a potential target. The vulnerability is not currently listed on CISA KEV. The lack of a public proof-of-concept does not diminish the risk, as the vulnerability is relatively straightforward to exploit.
Organizations using OpenRefine for data cleaning and transformation, particularly those running OpenRefine on publicly accessible servers or within shared hosting environments, are at risk. Systems with legacy OpenRefine installations or those lacking robust file system access controls are also more vulnerable.
• java / server: Monitor OpenRefine logs for requests containing suspicious directory traversal sequences in the lang parameter (e.g., ../).
• generic web: Use curl/wget to test the load-language endpoint with crafted lang parameters containing directory traversal sequences. Inspect the response for unexpected file content.
curl 'http://your-openrefine-server/load-language?lang=../../../../etc/passwd'disclosure
Exploit-Status
EPSS
0.57% (68% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade OpenRefine to version 3.8.3 or later, which includes the necessary path validation fix. If an immediate upgrade is not feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious path traversal sequences in the lang parameter. Additionally, restrict file system permissions to minimize the potential damage if the vulnerability is exploited. Regularly review file system access logs for any unusual activity. After upgrading, confirm the fix by attempting to access a file outside the expected translations directory using a crafted lang parameter; the request should be rejected.
Actualice OpenRefine a la versión 3.8.3 o superior. Esta versión corrige la vulnerabilidad de path traversal en el comando load-language, impidiendo el acceso no autorizado a archivos en el sistema.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-49760 is a Path Traversal vulnerability in OpenRefine affecting versions up to 3.8.2. It allows attackers to read arbitrary JSON files from the server's file system.
You are affected if you are using OpenRefine version 3.8.2 or earlier. Upgrade to 3.8.3 to mitigate the risk.
Upgrade OpenRefine to version 3.8.3 or later. As a temporary workaround, implement a WAF rule to block requests with suspicious directory traversal sequences.
As of now, there are no confirmed reports of active exploitation of CVE-2024-49760.
Refer to the OpenRefine project's security advisories on their website or GitHub repository for the latest information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.