ckan@2.7.5 vulnerabilities

CKAN Software

Direct Vulnerabilities

Known vulnerabilities in the ckan package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Information Exposure Through an Error Message

ckan is a world’s leading Open Source data portal platform.

It powers dozens of Open Data portals around the world, including data.gov, open.canada.ca and europeandataportal.eu but also regional, research and community organizations.

It makes easy to publish, share and find data online and is fully customizable via extensions and plugins.

Affected versions of this package are vulnerable to Information Exposure Through an Error Message due to the error handling mechanism in the package_search action. An attacker can obtain sensitive information by triggering connection issues with the Solr server, which results in the internal Solr URL, potentially including credentials, being leaked in the error message.

How to fix Information Exposure Through an Error Message?

Upgrade ckan to version 2.10.5 or higher.

[2.0,2.10.5)
  • H
Cross-site Scripting (XSS)

ckan is a world’s leading Open Source data portal platform.

It powers dozens of Open Data portals around the world, including data.gov, open.canada.ca and europeandataportal.eu but also regional, research and community organizations.

It makes easy to publish, share and find data online and is fully customizable via extensions and plugins.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the datatables_view plugin, which is improperly escaped when rendered in the user's browser. Note: This is only exploitable if the datatables_view plugin is activated, which is not enabled by default.

How to fix Cross-site Scripting (XSS)?

Upgrade ckan to version 2.10.5 or higher.

[2.7.0,2.10.5)
  • M
Server-Side Request Forgery (SSRF)

ckan is a world’s leading Open Source data portal platform.

It powers dozens of Open Data portals around the world, including data.gov, open.canada.ca and europeandataportal.eu but also regional, research and community organizations.

It makes easy to publish, share and find data online and is fully customizable via extensions and plugins.

Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF) due to missing checks via the use of CKAN plugins, including XLoader, DataPusher, Resource proxy, and context-archiver, that download content of local or remote files using the resources URLs. An attacker can create a resource with a URL pointing to unauthorized locations and potentially retrieve restricted data.

How to fix Server-Side Request Forgery (SSRF)?

Upgrade ckan to version 2.10.5 or higher.

[,2.10.5)
  • M
Improper Output Neutralization for Logs

ckan is a world’s leading Open Source data portal platform.

It powers dozens of Open Data portals around the world, including data.gov, open.canada.ca and europeandataportal.eu but also regional, research and community organizations.

It makes easy to publish, share and find data online and is fully customizable via extensions and plugins.

Affected versions of this package are vulnerable to Improper Output Neutralization for Logs due to the user endpoint not performing filtering on an incoming parameter, which was added directly to the application log. An attacker can inject false log entries or corrupt the log file format by sending crafted input.

How to fix Improper Output Neutralization for Logs?

Upgrade ckan to version 2.9.11, 2.10.4 or higher.

[,2.9.11) [2.10.0,2.10.4)
  • M
Improper Authorization

ckan is a world’s leading Open Source data portal platform.

It powers dozens of Open Data portals around the world, including data.gov, open.canada.ca and europeandataportal.eu but also regional, research and community organizations.

It makes easy to publish, share and find data online and is fully customizable via extensions and plugins.

Affected versions of this package are vulnerable to Improper Authorization such that the ckan user (equivalent to www-data) owns code and configuration files in the docker container and has the permissions to use sudo.

These issues allow an attacker to perform code execution or privilege escalation if an arbitrary file write bug was available.

How to fix Improper Authorization?

Upgrade ckan to version 2.9.9, 2.10.1 or higher.

[,2.9.9) [2.10.0,2.10.1)
  • M
Improper Handling of Length Parameter Inconsistency

ckan is a world’s leading Open Source data portal platform.

It powers dozens of Open Data portals around the world, including data.gov, open.canada.ca and europeandataportal.eu but also regional, research and community organizations.

It makes easy to publish, share and find data online and is fully customizable via extensions and plugins.

Affected versions of this package are vulnerable to Improper Handling of Length Parameter Inconsistency via the /dataset/new endpoint when submitting a POST request with a specially-crafted field. An attacker can create an out-of-memory error on the hosting server by submitting a malicious payload.

Note: This is only exploitable if the user has permissions to create or edit datasets.

How to fix Improper Handling of Length Parameter Inconsistency?

Upgrade ckan to version 2.9.10, 2.10.3 or higher.

[2.0,2.9.10) [2.10.0,2.10.3)
  • H
Arbitrary File Upload

ckan is a world’s leading Open Source data portal platform.

It powers dozens of Open Data portals around the world, including data.gov, open.canada.ca and europeandataportal.eu but also regional, research and community organizations.

It makes easy to publish, share and find data online and is fully customizable via extensions and plugins.

Affected versions of this package are vulnerable to Arbitrary File Upload. A user with permissions to create or edit a dataset can upload a resource with a specially crafted resource ID to write the uploaded file in an arbitrary location using path traversal. The arbitrary file write is in the resource_create and package_update actions, using the ResourceUploader object. It is also reachable via package_create, package_revise, and package_patch via calls to package_update. Arbitrary files can also be read this way, if the user knows the ID of the desired file.

This may enable remote code execution via Beaker's insecure pickle loading when configured to use the file session store backend.

Denial of service may be possible by passing a resource ID of excessive length.

How to fix Arbitrary File Upload?

Upgrade ckan to version 2.9.9, 2.10.1 or higher.

[,2.9.9) [2.10.0,2.10.1)
  • M
Access Restriction Bypass

ckan is a world’s leading Open Source data portal platform.

It powers dozens of Open Data portals around the world, including data.gov, open.canada.ca and europeandataportal.eu but also regional, research and community organizations.

It makes easy to publish, share and find data online and is fully customizable via extensions and plugins.

Affected versions of this package are vulnerable to Access Restriction Bypass. When creating a new container based on one of the Docker images listed below, the same secret key was being used by default. If the users didn't set a custom value via environment variables in the .env file, that key was shared across different CKAN instances, making it easy to forge authentication requests.

The affected images are:

  • ckan/ckan-docker, (ckan/ckan-base images)
  • okfn/docker-ckan (openknowledge/ckan-base and openknowledge/ckan-dev images)
  • keitaroinc/docker-ckan (keitaro/ckan images).

How to fix Access Restriction Bypass?

Upgrade ckan to version 2.8.12, 2.9.7 or higher.

[,2.8.12) [2.9.0,2.9.7)
  • H
Improper Access Control

ckan is a world’s leading Open Source data portal platform.

It powers dozens of Open Data portals around the world, including data.gov, open.canada.ca and europeandataportal.eu but also regional, research and community organizations.

It makes easy to publish, share and find data online and is fully customizable via extensions and plugins.

Affected versions of this package are vulnerable to Improper Access Control when an existing user id is sent via an HTTP POST request. This allows a user to take over an existing account including superuser accounts.

How to fix Improper Access Control?

Upgrade ckan to version 2.9.7 or higher.

[,2.9.7)
  • M
Cross-site Scripting (XSS)

ckan is a world’s leading Open Source data portal platform.

It powers dozens of Open Data portals around the world, including data.gov, open.canada.ca and europeandataportal.eu but also regional, research and community organizations.

It makes easy to publish, share and find data online and is fully customizable via extensions and plugins.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the autocomplete module.

How to fix Cross-site Scripting (XSS)?

Upgrade ckan to version 2.6.9, 2.7.7, 2.8.4 or higher.

[,2.6.9) [2.7.0,2.7.7) [2.8.0,2.8.4)