Search for packages
| purl | pkg:pypi/ckan@2.1.6 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-3xc3-d6rf-8khn
Aliases: CVE-2026-42032 GHSA-cg4x-64p3-x59h |
CKAN has Unauthenticated Authorization Bypass in `datastore_search_sql` ### Impact A vulnerability in `datastore_search_sql` allowed attackers to bypass authorization in order to gain access to private resources and PostgreSQL system information ### Patches The issue has been patched in CKAN 2.10.10 and CKAN 2.11.5 ### Workarounds Disable the DataStore SQL search (`ckan.datastore.sqlsearch.enabled = false`). Note that the SQL search is disabled by default. ### More information As stated in the [documentation](https://docs.ckan.org/en/2.11/maintaining/configuration.html#ckan-datastore-sqlsearch-enabled), this action function has protections that offer some safety but are not designed to prevent all types of abuse. Depending on the sensitivity of private data in your DataStore and the likelihood of abuse of your site, you may choose to disable this action function or restrict its use with a [`IAuthFunctions`](https://docs.ckan.org/en/2.11/extensions/plugin-interfaces.html#ckan.plugins.interfaces.IAuthFunctions) plugin. ### Credits * Reported by Arvin Shivram of Brutecat Security |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-4w17-m7f2-9fek
Aliases: CVE-2022-43685 GHSA-m2xp-jxfg-qq6g PYSEC-2022-42987 |
CKAN through 2.9.6 account takeovers by unauthenticated users when an existing user id is sent via an HTTP POST request. This allows a user to take over an existing account including superuser accounts. |
Affected by 12 other vulnerabilities. |
|
VCID-cfhe-vg25-wye1
Aliases: CVE-2023-32321 GHSA-446m-hmmm-hm8m |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in ckan. |
Affected by 10 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-dusn-kdz1-vygw
Aliases: CVE-2023-32696 GHSA-c74x-xfvr-x5wg |
Improper Privilege Management CKAN is an open-source data management system for powering data hubs and data portals. Prior to versions 2.9.9 and 2.10.1, the `ckan` user (equivalent to www-data) owned code and configuration files in the docker container and the `ckan` user had the permissions to use sudo. These issues allowed for code execution or privilege escalation if an arbitrary file write bug was available. Versions 2.9.9, 2.9.9-dev, 2.10.1, and 2.10.1-dev contain a patch. |
Affected by 10 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-f4mv-eee1-m3cc
Aliases: CVE-2024-41674 GHSA-2rqw-cfhc-35fh |
CKAN may leak Solr credentials via error message in package_search action If there were connection issues with the Solr server, the internal Solr URL (potentially including credentials) could be leaked to `package_search` calls as part of the returned error message |
Affected by 7 other vulnerabilities. |
|
VCID-fkse-y2w6-efgd
Aliases: CVE-2025-24372 GHSA-7pq5-qcp6-mcww |
CKAN has an XSS vector in user uploaded images in group/org and user profiles Using a specially crafted file, a user could potentially upload a file containing code that when executed could send arbitrary requests to the server. If that file was opened by an administrator, it could lead to escalation of privileges of the original submitter or other malicious actions. Users must have been registered to the site to exploit this vulnerability. |
Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-nadn-x9je-8bfv
Aliases: CVE-2026-42031 GHSA-h7j7-3rx6-xvcg |
CKAN has Unauthenticated SQL Injection and Authorization Bypass in `datastore_search_sql` ### Impact A vulnerability in `datastore_search_sql` allowed attackers to inject SQL in order to gain access to private resources and PostgreSQL system information. ### Patches The issue has been patched in CKAN 2.10.10 and CKAN 2.11.5 ### Workarounds Disable the DataStore SQL search (`ckan.datastore.sqlsearch.enabled = false`). Note that the SQL search is disabled by default. ### More information As stated in the [documentation](https://docs.ckan.org/en/2.11/maintaining/configuration.html#ckan-datastore-sqlsearch-enabled), this action function has protections that offer some safety but are not designed to prevent all types of abuse. Depending on the sensitivity of private data in a project's DataStore and the likelihood of abuse of a consuming site, a developer may choose to disable this action function or restrict its use with a [`IAuthFunctions`](https://docs.ckan.org/en/2.11/extensions/plugin-interfaces.html#ckan.plugins.interfaces.IAuthFunctions) plugin. ### Credits * Reported by Arvin Shivram of Brutecat Security |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-r7ac-xj5b-d7gg
Aliases: CVE-2024-27097 GHSA-8g38-3m6v-232j |
Potential log injection in reset user endpoint in CKAN A user endpoint didn't perform filtering on an incoming parameter, which was added directly to the application log. This could lead to an attacker injecting false log entries or corrupt the log file format. ### Patches This has been fixed in the CKAN 2.9.11 and 2.10.4 versions ### Workarounds Override the `/user/reset` endpoint to filter the `id` parameter in order to exclude newlines |
Affected by 8 other vulnerabilities. Affected by 10 other vulnerabilities. |
|
VCID-v1bk-nt8x-tkhq
Aliases: CVE-2023-50248 GHSA-7fgc-89cx-w8j5 |
Improper Handling of Length Parameter Inconsistency CKAN is an open-source data management system for powering data hubs and data portals. Starting in version 2.0.0 and prior to versions 2.9.10 and 2.10.3, when submitting a POST request to the `/dataset/new` endpoint (including either the auth cookie or the `Authorization` header) with a specially-crafted field, an attacker can create an out-of-memory error in the hosting server. To trigger this error, the attacker need to have permissions to create or edit datasets. This vulnerability has been patched in CKAN 2.10.3 and 2.9.10. |
Affected by 9 other vulnerabilities. Affected by 11 other vulnerabilities. |
|
VCID-vn22-99r3-nbgz
Aliases: CVE-2025-54384 GHSA-2r4h-8jxv-w2j8 |
CKAN vulnerable to stored XSS in resource description The `helpers.markdown_extract()` function did not perform sufficient sanitization of input data before wrapping in an HTML literal element. This helper is used to render user-provided data on dataset, resource, organization or group pages (plus any page provided by an extension that used that helper function), leading to a potential XSS vector. |
Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-wf4k-xb1q-nkbt
Aliases: CVE-2026-41132 GHSA-mpfm-fpgx-647q |
CKAN has no certificate validation on STMP connection ### Impact Configured SMTP server may be spoofed with any certificate (e.g. self-signed), leaving credentials and all emails sent open to MITM attacks. ### Patches The vulnerability has been patched in CKAN 2.10.10 and CKAN 2.11.5 |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-y2y5-7ufv-y7br
Aliases: CVE-2024-43371 GHSA-g9ph-j5vj-f8wm |
Potential access to sensitive URLs via CKAN extensions (SSRF) There are a number of CKAN plugins, including [XLoader](https://github.com/ckan/ckanext-xloader), [DataPusher](https://github.com/ckan/datapusher), [Resource proxy](https://docs.ckan.org/en/latest/maintaining/data-viewer.html#resource-proxy) and [ckanext-archiver](https://github.com/ckan/ckanext-archiver/), that work by downloading the contents of local or remote files in order to perform some actions with their contents (e.g. pushing to the DataStore, streaming contents or saving a local copy). All of them use the resource URL, and there are currently no checks to limit what URLs can be requested. This means that a malicious (or unaware) user can create a resource with a URL pointing to a place where they should not have access in order for one of the previous tools to retrieve it (known as a [Server Side Request Forgery](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery)). |
Affected by 7 other vulnerabilities. |
|
VCID-yp8z-f7q6-gffb
Aliases: CVE-2023-22746 GHSA-pr8j-v4c8-h62x |
Use of Insufficiently Random Values CKAN is an open-source DMS (data management system) for powering data hubs and data portals. When creating a new container based on one of the Docker images listed below, the same secret key was being used by default. If the users didn't set a custom value via environment variables in the `.env` file, that key was shared across different CKAN instances, making it easy to forge authentication requests. Users overriding the default secret key in their own `.env` file are not affected by this issue. Note that the legacy images (ckan/ckan) located in the main CKAN repo are not affected by this issue. The affected images are ckan/ckan-docker, (ckan/ckan-base images), okfn/docker-ckan (openknowledge/ckan-base and openknowledge/ckan-dev images) keitaroinc/docker-ckan (keitaro/ckan images). |
Affected by 13 other vulnerabilities. Affected by 12 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||