UBUNTU-CVE-2024-49760

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2024-49760

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-49760.json

JSON Data

https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2024-49760

Related

CVE-2024-49760

Published

2024-10-24T22:15:00Z

Modified

2024-11-11T16:59:00Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

[none]

Details

OpenRefine is a free, open source tool for working with messy data. The load-language command expects a lang parameter from which it constructs the path of the localization file to load, of the form translations-$LANG.json. But when doing so in versions prior to 3.8.3, it does not check that the resulting path is in the expected directory, which means that this command could be exploited to read other JSON files on the file system. Version 3.8.3 addresses this issue.

References

Affected packages

Ubuntu:22.04:LTS / openrefine

Package

Name: openrefine
Purl: pkg:deb/ubuntu/openrefine?arch=src?distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.5.2-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.10 / openrefine

Package

Name: openrefine
Purl: pkg:deb/ubuntu/openrefine?arch=src?distro=oracular

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.7.7-1

3.7.8-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.04:LTS / openrefine

Package

Name: openrefine
Purl: pkg:deb/ubuntu/openrefine?arch=src?distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.6.2-3

3.7.6-1

3.7.7-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}