Bug#1086042: openrefine-butterfly: CVE-2024-47883
Moritz Mühlenhoff
jmm at inutil.org
Fri Oct 25 14:38:06 BST 2024
Source: openrefine-butterfly
X-Debbugs-CC: team at security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for openrefine-butterfly.
CVE-2024-47883[0]:
| The OpenRefine fork of the MIT Simile Butterfly server is a modular
| web application framework. The Butterfly framework uses the
| `java.net.URL` class to refer to (what are expected to be) local
| resource files, like images or templates. This works: "opening a
| connection" to these URLs opens the local file. However, prior to
| version 1.2.6, if a `file:/` URL is directly given where a relative
| path (resource name) is expected, this is also accepted in some code
| paths; the app then fetches the file, from a remote machine if
| indicated, and uses it as if it was a trusted part of the app's
| codebase. This leads to multiple weaknesses and potential
| weaknesses. An attacker that has network access to the application
| could use it to gain access to files, either on the the server's
| filesystem (path traversal) or shared by nearby machines (server-
| side request forgery with e.g. SMB). An attacker that can lead or
| redirect a user to a crafted URL belonging to the app could cause
| arbitrary attacker-controlled JavaScript to be loaded in the
| victim's browser (cross-site scripting). If an app is written in
| such a way that an attacker can influence the resource name used for
| a template, that attacker could cause the app to fetch and execute
| an attacker-controlled template (remote code execution). Version
| 1.2.6 contains a patch.
https://github.com/OpenRefine/simile-butterfly/security/advisories/GHSA-3p8v-w8mr-m3x8
https://github.com/OpenRefine/simile-butterfly/commit/537f64bfa72746f8b21d4bda461fad843435319c
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-47883
https://www.cve.org/CVERecord?id=CVE-2024-47883
Please adjust the affected versions in the BTS as needed.
More information about the pkg-java-maintainers
mailing list