Skip to content

Butterfly 1.2.6

Latest
Latest
Compare
Choose a tag to compare
@wetneb wetneb released this 24 Oct 04:54
· 7 commits to openrefine since this release
1.2.6
8b22664

Version 1.2.6 includes two vulnerability fixes:

  • Only serve resources within the expected directory (severity: critical)
    Mitigates CVE-2024-47883.
    Disables fetching of remote resources and escaping the base path of the
    Butterfly module. See more details at:
    GHSA-3p8v-w8mr-m3x8
  • Remove vulnerable JSON parsing function and related utilities (severity: moderate)
    Those JSON parsing functions rely on Javascript evaluation, which can be used for
    remote code execution exploits. Those functions are not used in OpenRefine, which is therefore not affected. See:
    GHSA-mpcw-3j5p-p99x

We thank @wandernauta for responsibly disclosing those vulnerabilities to us.

Contributors

wandernauta
Assets 2
Loading