CVE-2024-49760

Name of the Vulnerable Software and Affected Versions: OpenRefine versions prior to 3.8.3

Description: The load-language command in OpenRefine expects a lang parameter to construct the path of the localization file to load, in the form translations-$LANG.json. However, in affected versions, it does not check if the resulting path is in the expected directory, allowing the command to be exploited to read other JSON files on the file system.

Recommendations: For versions prior to 3.8.3, update to version 3.8.3 to address this issue. As a temporary workaround, consider restricting access to the load-language command to minimize the risk of exploitation. Additionally, ensure that the normalized path is checked to be in the expected directory to prevent unauthorized file access.