Platform
java
Component
org.openrefine:openrefine
Fixed in
3.8.4
3.8.3
CVE-2024-49760 describes a Path Traversal vulnerability within OpenRefine, a powerful tool for data cleaning and transformation. This flaw allows attackers to potentially read arbitrary JSON files from the server's file system. The vulnerability impacts versions of OpenRefine up to and including 3.8.2. A fix is available in version 3.8.3.
The core of the vulnerability lies in the load-language command, which constructs file paths based on a user-supplied lang parameter. Critically, OpenRefine fails to validate that the resulting path remains within the expected directory for localization files. This lack of validation enables an attacker to manipulate the lang parameter to include directory traversal sequences (e.g., ../..), allowing them to access files outside the intended directory. Successful exploitation could expose sensitive configuration files, application data, or even parts of the server's file system containing JSON data. The potential blast radius depends on the server's configuration and the permissions of the OpenRefine process.
CVE-2024-49760 was publicly disclosed on 2024-10-24. Currently, there are no known active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been released at the time of this writing. The vulnerability has not been added to the CISA KEV catalog.
Exploit Status
EPSS
0.57% (68% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade OpenRefine to version 3.8.3 or later, which includes the necessary path validation fix. If upgrading immediately is not feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious directory traversal sequences in the lang parameter. Additionally, restrict file system permissions for the OpenRefine process to minimize the potential impact of a successful attack. Regularly review and audit file system access logs for any anomalous activity.
Actualice OpenRefine a la versión 3.8.3 o superior. Esta versión corrige la vulnerabilidad de path traversal en el comando load-language, impidiendo el acceso no autorizado a archivos en el sistema.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-49760 is a Path Traversal vulnerability in OpenRefine affecting versions up to 3.8.2. It allows attackers to read arbitrary JSON files from the server's file system.
You are affected if you are using OpenRefine version 3.8.2 or earlier. Upgrade to 3.8.3 to mitigate the risk.
Upgrade OpenRefine to version 3.8.3 or later. As a temporary workaround, implement a WAF rule to block requests with suspicious directory traversal sequences.
As of now, there are no confirmed reports of active exploitation of CVE-2024-49760.
Refer to the OpenRefine project's security advisories on their website or GitHub repository for the latest information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.