CVE-2024-49760

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-49760

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-49760.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-49760

Aliases

GHSA-qfwq-6jh6-8xx4

Related

UBUNTU-CVE-2024-49760

Published

2024-10-24T22:15:04Z

Modified

2024-11-24T16:47:38.788517Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

[none]

Details

OpenRefine is a free, open source tool for working with messy data. The load-language command expects a lang parameter from which it constructs the path of the localization file to load, of the form translations-$LANG.json. But when doing so in versions prior to 3.8.3, it does not check that the resulting path is in the expected directory, which means that this command could be exploited to read other JSON files on the file system. Version 3.8.3 addresses this issue.

References

Affected packages

Debian:12 / openrefine

Package

Name: openrefine
Purl: pkg:deb/debian/openrefine?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.6.2-2

3.6.2-2+deb12u1

3.6.2-2+deb12u2

3.6.2-3

3.7.4-1

3.7.5-1

3.7.6-1

3.7.7-1

3.7.8-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/openrefine/openrefine

Affected ranges

Type: GIT
Repo: https://github.com/openrefine/openrefine
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

24d084052dc55426fe460f2a17524fd18d28b20c

Affected versions

1.*

1.1

2.*

2.6-alpha.2

2.6-alpha1

2.6-beta.1

2.6-rc.2

2.7

2.7-rc.1

2.7-rc.2

2.8

3.*

3.0

3.0-beta

3.0-rc.1

3.1

3.1-beta

3.2

3.2-beta

3.3

3.3-beta

3.3-rc1

3.4-beta

3.5-beta1

3.7-beta2

3.8-beta1

v2.*

v2.6-rc1