CVE-2024-47883 – Butterfly has path/URL confusion in resource handling leading to multiple weaknesses

https://notcve.org/view.php?id=CVE-2024-47883

24 Oct 2024 — The OpenRefine fork of the MIT Simile Butterfly server is a modular web application framework. The Butterfly framework uses the `java.net.URL` class to refer to (what are expected to be) local resource files, like images or templates. This works: "opening a connection" to these URLs opens the local file. However, prior to version 1.2.6, if a `file:/` URL is directly given where a relative path (resource name) is expected, this is also accepted in some code paths; the app then fetches the file, from a remote... • https://github.com/OpenRefine/simile-butterfly/commit/537f64bfa72746f8b21d4bda461fad843435319c • CWE-36: Absolute Path Traversal CWE-918: Server-Side Request Forgery (SSRF) •