CVE-2024-47883
📋 TL;DR
This vulnerability in the OpenRefine fork of MIT Simile Butterfly server allows attackers to exploit improper URL validation to access files from remote systems or the local filesystem. It affects applications using vulnerable versions of the framework, potentially leading to file disclosure, SSRF, XSS, or remote code execution. Systems running Butterfly server versions before 1.2.6 are vulnerable.
💻 Affected Systems
- OpenRefine fork of MIT Simile Butterfly server
📦 What is this software?
Butterfly by Openrefine
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution through template injection, allowing complete system compromise and data exfiltration.
Likely Case
Server-side request forgery (SSRF) to access internal network resources and file disclosure through path traversal.
If Mitigated
Limited file access if network segmentation and input validation are in place, but still vulnerable to XSS.
🎯 Exploit Status
Exploitation requires network access to the application but no authentication. The advisory provides technical details that could facilitate exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.6
Vendor Advisory: https://github.com/OpenRefine/simile-butterfly/security/advisories/GHSA-3p8v-w8mr-m3x8
Restart Required: Yes
Instructions:
1. Update to version 1.2.6 or later. 2. Replace the vulnerable JAR files with patched versions. 3. Restart the application server. 4. Verify the fix by checking the version and testing vulnerable endpoints.
🔧 Temporary Workarounds
Input Validation Filter
allImplement strict input validation to reject file:// URLs and path traversal sequences in resource name parameters.
Implement custom servlet filter or middleware to sanitize all resource name inputs
Network Segmentation
allRestrict outbound network access from the application server to prevent SSRF attacks.
Configure firewall rules to block outbound SMB, HTTP, and other protocols from the application server
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block requests containing file:// URLs and path traversal patterns.
- Isolate the application in a restricted network segment with no outbound internet access and minimal internal network access.
🔍 How to Verify
Check if Vulnerable:
Check the Butterfly framework version in your application dependencies. If using Maven: check pom.xml for simile-butterfly version <1.2.6. If using JAR files directly: check file metadata or manifest.Check Version:
For Maven projects: mvn dependency:tree | grep simile-butterfly. For direct JAR: java -jar butterfly.jar --version or check MANIFEST.MF.Verify Fix Applied:
After updating, verify the version is 1.2.6 or higher. Test previously vulnerable endpoints with file:// URLs to ensure they are rejected.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing 'file://' in parameters
- Unusual file access patterns from the application
- Errors related to URL parsing or file not found for remote paths
Network Indicators:
- Outbound SMB or HTTP requests from the application server to internal systems
- Unexpected file retrieval patterns
SIEM Query:
source="application_logs" AND (message="*file://*" OR message="*URL*" AND message="*resource*" AND message="*error*")