CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-32696 – Excessive permissions for ckan user
https://notcve.org/view.php?id=CVE-2023-32696
CKAN is an open-source data management system for powering data hubs and data portals. Prior to versions 2.9.9 and 2.10.1, the `ckan` user (equivalent to www-data) owned code and configuration files in the docker container and the `ckan` user had the permissions to use sudo. These issues allowed for code execution or privilege escalation if an arbitrary file write bug was available. Versions 2.9.9, 2.9.9-dev, 2.10.1, and 2.10.1-dev contain a patch. • https://github.com/ckan/ckan-docker-base/commit/5483c46ce9b518a4e1b626ef7032cce2c1d75c7d https://github.com/ckan/ckan-docker-base/security/advisories/GHSA-c74x-xfvr-x5wg • CWE-269: Improper Privilege Management •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-32321 – CKAN remote code execution and private information access via crafted resource ids
https://notcve.org/view.php?id=CVE-2023-32321
CKAN is an open-source data management system for powering data hubs and data portals. Multiple vulnerabilities have been discovered in Ckan which may lead to remote code execution. An arbitrary file write in `resource_create` and `package_update` actions, using the `ResourceUploader` object. Also reachable via `package_create`, `package_revise`, and `package_patch` via calls to `package_update`. Remote code execution via unsafe pickle loading, via Beaker's session store when configured to use the file session store backend. • https://github.com/ckan/ckan/blob/2a6080e61d5601fa0e2a0317afd6a8e9b7abf6dd/CHANGELOG.rst https://github.com/ckan/ckan/security/advisories/GHSA-446m-hmmm-hm8m • CWE-20: Improper Input Validation •
CVSS: 8.6EPSS: 0%CPEs: 2EXPL: 0CVE-2023-22746 – CKAN is vulnerable to session secret shared across instances using Docker images
https://notcve.org/view.php?id=CVE-2023-22746
CKAN is an open-source DMS (data management system) for powering data hubs and data portals. When creating a new container based on one of the Docker images listed below, the same secret key was being used by default. If the users didn't set a custom value via environment variables in the `.env` file, that key was shared across different CKAN instances, making it easy to forge authentication requests. Users overriding the default secret key in their own `.env` file are not affected by this issue. Note that the legacy images (ckan/ckan) located in the main CKAN repo are not affected by this issue. • https://github.com/ckan/ckan/commit/44af0f0a148fcc0e0fbcf02fe69b7db13459a84b https://github.com/ckan/ckan/commit/4c22c135fa486afa13855d1cdb9765eaf418d2aa https://github.com/ckan/ckan/security/advisories/GHSA-pr8j-v4c8-h62x • CWE-330: Use of Insufficiently Random Values CWE-344: Use of Invariant Value in Dynamically Changing Context •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-43685
https://notcve.org/view.php?id=CVE-2022-43685
CKAN through 2.9.6 account takeovers by unauthenticated users when an existing user id is sent via an HTTP POST request. This allows a user to take over an existing account including superuser accounts. CKAN hasta 2.9.6 toma de control de cuentas por parte de usuarios no autenticados cuando se envía una identificación de usuario existente a través de una solicitud HTTP POST. Esto permite a un usuario hacerse cargo de una cuenta existente, incluidas las cuentas de superusuario. • https://ckan.org https://ckan.org/blog/get-latest-patch-releases-your-ckan-site-october-2022 •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2021-25967 – CKAN - Stored Cross-Site Scripting (XSS) via SVG File Upload
https://notcve.org/view.php?id=CVE-2021-25967
In CKAN, versions 2.9.0 to 2.9.3 are affected by a stored XSS vulnerability via SVG file upload of users’ profile picture. This allows low privileged application users to store malicious scripts in their profile picture. These scripts are executed in a victim’s browser when they open the malicious profile picture En CKAN, versiones 2.9.0 a 2.9.3, están afectadas por una vulnerabilidad de tipo XSS almacenada por medio de la carga de archivos SVG de la foto de perfil de los usuarios. Esto permite a usuarios de aplicaciones con pocos privilegios almacenar scripts maliciosos en su foto de perfil. Estos scripts son ejecutados en el navegador de la víctima cuando ésta abre la imagen de perfil maliciosa • https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25967 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •