CVE-2024-47883

Name of the Vulnerable Software and Affected Versions Butterfly framework versions prior to 1.2.6

Description The Butterfly framework has a weakness related to incorrect restriction of the path name to a directory with limited access. This can be exploited by an attacker with network access to the application to gain access to files on the server's filesystem or shared by nearby machines. An attacker can also lead or redirect a user to a crafted URL belonging to the app, causing arbitrary attacker-controlled JavaScript to be loaded in the victim's browser. Additionally, if an app is written in such a way that an attacker can influence the resource name used for a template, the attacker could cause the app to fetch and execute an attacker-controlled template.

The edu.mit.simile.butterfly.ButterflyModuleImpl.getResource method converts a resource name into a URL. If the resource name already starts with file:/, it is passed through unmodified, and there is no check that the resulting URL is inside the expected directory or on the same machine. The default implementation for process in ButterflyModuleImpl is to serve a named resource, making it vulnerable. The Velocity template library is also vulnerable if template resource names can be influenced by an attacker.

Recommendations For versions prior to 1.2.6, update to version 1.2.6 or later to patch the vulnerability. As a temporary workaround, consider restricting access to the file:/ URL scheme to minimize the risk of exploitation. Avoid using the file:/ URL scheme in resource names until the issue is resolved. Restrict access to the vulnerable ButterflyModuleImpl and ButterflyResourceLoader classes to minimize the risk of exploitation.