平台
java
组件
org.openrefine:openrefine
修复版本
3.8.4
3.8.3
CVE-2024-49760 describes a Path Traversal vulnerability within OpenRefine, a powerful tool for data cleaning and transformation. This flaw allows attackers to potentially read arbitrary JSON files from the server's file system. The vulnerability impacts versions of OpenRefine up to and including 3.8.2. A fix is available in version 3.8.3.
The core of the vulnerability lies in the load-language command, which constructs file paths based on a user-supplied lang parameter. Critically, OpenRefine fails to validate that the resulting path remains within the expected directory for localization files. This lack of validation enables an attacker to manipulate the lang parameter to include directory traversal sequences (e.g., ../..), allowing them to access files outside the intended directory. Successful exploitation could expose sensitive configuration files, application data, or even parts of the server's file system containing JSON data. The potential blast radius depends on the server's configuration and the permissions of the OpenRefine process.
CVE-2024-49760 was publicly disclosed on 2024-10-24. Currently, there are no known active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been released at the time of this writing. The vulnerability has not been added to the CISA KEV catalog.
Organizations using OpenRefine for data cleaning and transformation, particularly those running OpenRefine on publicly accessible servers or within shared hosting environments, are at risk. Systems with legacy OpenRefine installations or those lacking robust file system access controls are also more vulnerable.
• java / server: Monitor OpenRefine logs for requests containing suspicious directory traversal sequences in the lang parameter (e.g., ../).
• generic web: Use curl/wget to test the load-language endpoint with crafted lang parameters containing directory traversal sequences. Inspect the response for unexpected file content.
curl 'http://your-openrefine-server/load-language?lang=../../../../etc/passwd'disclosure
漏洞利用状态
EPSS
0.57% (68% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation is to upgrade OpenRefine to version 3.8.3 or later, which includes the necessary path validation fix. If upgrading immediately is not feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious directory traversal sequences in the lang parameter. Additionally, restrict file system permissions for the OpenRefine process to minimize the potential impact of a successful attack. Regularly review and audit file system access logs for any anomalous activity.
Actualice OpenRefine a la versión 3.8.3 o superior. Esta versión corrige la vulnerabilidad de path traversal en el comando load-language, impidiendo el acceso no autorizado a archivos en el sistema.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-49760 is a Path Traversal vulnerability in OpenRefine affecting versions up to 3.8.2. It allows attackers to read arbitrary JSON files from the server's file system.
You are affected if you are using OpenRefine version 3.8.2 or earlier. Upgrade to 3.8.3 to mitigate the risk.
Upgrade OpenRefine to version 3.8.3 or later. As a temporary workaround, implement a WAF rule to block requests with suspicious directory traversal sequences.
As of now, there are no confirmed reports of active exploitation of CVE-2024-49760.
Refer to the OpenRefine project's security advisories on their website or GitHub repository for the latest information.
上传你的 pom.xml 文件,立即知道是否受影响。