CVE-2024-49760: OpenRefine has a path traversal in LoadLanguageCommand

October 24, 2024 (updated November 6, 2024)

The load-language command expects a lang parameter from which it constructs the path of the localization file to load, of the form translations-$LANG.json. When doing so, it does not check that the resulting path is in the expected directory, which means that this command could be exploited to read other JSON files on the file system.

The command should be patched by checking that the normalized path is in the expected directory.

References

github.com/OpenRefine/OpenRefine
github.com/OpenRefine/OpenRefine/commit/24d084052dc55426fe460f2a17524fd18d28b20c
github.com/OpenRefine/OpenRefine/security/advisories/GHSA-qfwq-6jh6-8xx4
github.com/advisories/GHSA-qfwq-6jh6-8xx4
nvd.nist.gov/vuln/detail/CVE-2024-49760

Code Behaviors & Features

Detect and mitigate CVE-2024-49760 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →