ckan@2.0.1 vulnerabilities

ckan is a world’s leading Open Source data portal platform.

It powers dozens of Open Data portals around the world, including data.gov, open.canada.ca and europeandataportal.eu but also regional, research and community organizations.

It makes easy to publish, share and find data online and is fully customizable via extensions and plugins.

Affected versions of this package are vulnerable to Information Exposure Through an Error Message due to the error handling mechanism in the package_search action. An attacker can obtain sensitive information by triggering connection issues with the Solr server, which results in the internal Solr URL, potentially including credentials, being leaked in the error message.

Upgrade ckan to version 2.10.5 or higher.

ckan is a world’s leading Open Source data portal platform.

It powers dozens of Open Data portals around the world, including data.gov, open.canada.ca and europeandataportal.eu but also regional, research and community organizations.

It makes easy to publish, share and find data online and is fully customizable via extensions and plugins.

Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF) due to missing checks via the use of CKAN plugins, including XLoader, DataPusher, Resource proxy, and context-archiver, that download content of local or remote files using the resources URLs. An attacker can create a resource with a URL pointing to unauthorized locations and potentially retrieve restricted data.

Upgrade ckan to version 2.10.5 or higher.

ckan is a world’s leading Open Source data portal platform.

It powers dozens of Open Data portals around the world, including data.gov, open.canada.ca and europeandataportal.eu but also regional, research and community organizations.

It makes easy to publish, share and find data online and is fully customizable via extensions and plugins.

Affected versions of this package are vulnerable to Improper Output Neutralization for Logs due to the user endpoint not performing filtering on an incoming parameter, which was added directly to the application log. An attacker can inject false log entries or corrupt the log file format by sending crafted input.

Upgrade ckan to version 2.9.11, 2.10.4 or higher.

ckan is a world’s leading Open Source data portal platform.

It powers dozens of Open Data portals around the world, including data.gov, open.canada.ca and europeandataportal.eu but also regional, research and community organizations.

It makes easy to publish, share and find data online and is fully customizable via extensions and plugins.

Affected versions of this package are vulnerable to Improper Authorization such that the ckan user (equivalent to www-data) owns code and configuration files in the docker container and has the permissions to use sudo.

These issues allow an attacker to perform code execution or privilege escalation if an arbitrary file write bug was available.

Upgrade ckan to version 2.9.9, 2.10.1 or higher.

ckan is a world’s leading Open Source data portal platform.

It powers dozens of Open Data portals around the world, including data.gov, open.canada.ca and europeandataportal.eu but also regional, research and community organizations.

It makes easy to publish, share and find data online and is fully customizable via extensions and plugins.

Affected versions of this package are vulnerable to Improper Handling of Length Parameter Inconsistency via the /dataset/new endpoint when submitting a POST request with a specially-crafted field. An attacker can create an out-of-memory error on the hosting server by submitting a malicious payload.

Note: This is only exploitable if the user has permissions to create or edit datasets.

Upgrade ckan to version 2.9.10, 2.10.3 or higher.

ckan is a world’s leading Open Source data portal platform.

It powers dozens of Open Data portals around the world, including data.gov, open.canada.ca and europeandataportal.eu but also regional, research and community organizations.

It makes easy to publish, share and find data online and is fully customizable via extensions and plugins.

Affected versions of this package are vulnerable to Arbitrary File Upload. A user with permissions to create or edit a dataset can upload a resource with a specially crafted resource ID to write the uploaded file in an arbitrary location using path traversal. The arbitrary file write is in the resource_create and package_update actions, using the ResourceUploader object. It is also reachable via package_create, package_revise, and package_patch via calls to package_update. Arbitrary files can also be read this way, if the user knows the ID of the desired file.

This may enable remote code execution via Beaker's insecure pickle loading when configured to use the file session store backend.

Denial of service may be possible by passing a resource ID of excessive length.

Upgrade ckan to version 2.9.9, 2.10.1 or higher.

ckan is a world’s leading Open Source data portal platform.

It powers dozens of Open Data portals around the world, including data.gov, open.canada.ca and europeandataportal.eu but also regional, research and community organizations.

It makes easy to publish, share and find data online and is fully customizable via extensions and plugins.

Affected versions of this package are vulnerable to Access Restriction Bypass. When creating a new container based on one of the Docker images listed below, the same secret key was being used by default. If the users didn't set a custom value via environment variables in the .env file, that key was shared across different CKAN instances, making it easy to forge authentication requests.

The affected images are:

• ckan/ckan-docker, (ckan/ckan-base images)
• okfn/docker-ckan (openknowledge/ckan-base and openknowledge/ckan-dev images)
• keitaroinc/docker-ckan (keitaro/ckan images).

Upgrade ckan to version 2.8.12, 2.9.7 or higher.

ckan is a world’s leading Open Source data portal platform.

It powers dozens of Open Data portals around the world, including data.gov, open.canada.ca and europeandataportal.eu but also regional, research and community organizations.

It makes easy to publish, share and find data online and is fully customizable via extensions and plugins.

Affected versions of this package are vulnerable to Improper Access Control when an existing user id is sent via an HTTP POST request. This allows a user to take over an existing account including superuser accounts.

Upgrade ckan to version 2.9.7 or higher.

ckan is a world’s leading Open Source data portal platform.

It powers dozens of Open Data portals around the world, including data.gov, open.canada.ca and europeandataportal.eu but also regional, research and community organizations.

It makes easy to publish, share and find data online and is fully customizable via extensions and plugins.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the autocomplete module.

Upgrade ckan to version 2.6.9, 2.7.7, 2.8.4 or higher.