Source: openrefine-butterfly X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerability was published for openrefine-butterfly. CVE-2024-47883[0]: | The OpenRefine fork of the MIT Simile Butterfly server is a modular | web application framework. The Butterfly framework uses the | `java.net.URL` class to refer to (what are expected to be) local | resource files, like images or templates. This works: "opening a | connection" to these URLs opens the local file. However, prior to | version 1.2.6, if a `file:/` URL is directly given where a relative | path (resource name) is expected, this is also accepted in some code | paths; the app then fetches the file, from a remote machine if | indicated, and uses it as if it was a trusted part of the app's | codebase. This leads to multiple weaknesses and potential | weaknesses. An attacker that has network access to the application | could use it to gain access to files, either on the the server's | filesystem (path traversal) or shared by nearby machines (server- | side request forgery with e.g. SMB). An attacker that can lead or | redirect a user to a crafted URL belonging to the app could cause | arbitrary attacker-controlled JavaScript to be loaded in the | victim's browser (cross-site scripting). If an app is written in | such a way that an attacker can influence the resource name used for | a template, that attacker could cause the app to fetch and execute | an attacker-controlled template (remote code execution). Version | 1.2.6 contains a patch. https://github.com/OpenRefine/simile-butterfly/security/advisories/GHSA-3p8v-w8mr-m3x8 https://github.com/OpenRefine/simile-butterfly/commit/537f64bfa72746f8b21d4bda461fad843435319c If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-47883 https://www.cve.org/CVERecord?id=CVE-2024-47883 Please adjust the affected versions in the BTS as needed.
