CVE-2024-49760

NameCVE-2024-49760
DescriptionOpenRefine is a free, open source tool for working with messy data. The load-language command expects a `lang` parameter from which it constructs the path of the localization file to load, of the form `translations-$LANG.json`. But when doing so in versions prior to 3.8.3, it does not check that the resulting path is in the expected directory, which means that this command could be exploited to read other JSON files on the file system. Version 3.8.3 addresses this issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1086041

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openrefine (PTS)bookworm3.6.2-2+deb12u2vulnerable
sid, trixie3.7.8-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
openrefinesource(unstable)(unfixed)1086041

Notes

https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-qfwq-6jh6-8xx4
https://github.com/OpenRefine/OpenRefine/commit/24d084052dc55426fe460f2a17524fd18d28b20c
https://github.com/OpenRefine/OpenRefine/commit/478285afffea59c893ac472faa74898ab9e5e95a (3.8.3)
Search for package or bug name: Reporting problems