CVE-2024-49760
OpenRefine has a path traversal in LoadLanguageCommand
7.1
HIGH
CVSS 3.1
EPSS 0.57%
Description
The load-language command expects a `lang` parameter from which it constructs the path of the localization file to load, of the form `translations-$LANG.json`. When doing so, it does not check that the resulting path is in the expected directory, which means that this command could be exploited to read other JSON files on the file system. The command should be patched by checking that the normalized path is in the expected directory.
How to fix CVE-2024-49760
To remediate CVE-2024-49760, upgrade the affected package to a fixed version below.
- —upgrade to 3.6.2-2+deb12u3 or later
- —upgrade to 3.8.3 or later
Is CVE-2024-49760 being exploited?
Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 3.6.2-2+deb12u3
- from 0, < 3.8.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH7.1 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N |