Search for packages
| purl | pkg:pypi/ckan@2.4.2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1has-6rxa-x3ht
Aliases: CVE-2025-54384 GHSA-2r4h-8jxv-w2j8 |
CKAN vulnerable to stored XSS in resource description The `helpers.markdown_extract()` function did not perform sufficient sanitization of input data before wrapping in an HTML literal element. This helper is used to render user-provided data on dataset, resource, organization or group pages (plus any page provided by an extension that used that helper function), leading to a potential XSS vector. |
Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-5hj2-93n8-bubp
Aliases: CVE-2025-24372 GHSA-7pq5-qcp6-mcww |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
|
VCID-6epn-ddfg-8fe9
Aliases: CVE-2023-32321 GHSA-446m-hmmm-hm8m |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in ckan. |
Affected by 7 other vulnerabilities. Affected by 8 other vulnerabilities. |
|
VCID-bah9-eeve-zybg
Aliases: CVE-2024-27097 GHSA-8g38-3m6v-232j |
Potential log injection in reset user endpoint in CKAN A user endpoint didn't perform filtering on an incoming parameter, which was added directly to the application log. This could lead to an attacker injecting false log entries or corrupt the log file format. ### Patches This has been fixed in the CKAN 2.9.11 and 2.10.4 versions ### Workarounds Override the `/user/reset` endpoint to filter the `id` parameter in order to exclude newlines |
Affected by 5 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-mfpa-jdxh-vfd3
Aliases: CVE-2023-32696 GHSA-c74x-xfvr-x5wg |
Improper Privilege Management CKAN is an open-source data management system for powering data hubs and data portals. Prior to versions 2.9.9 and 2.10.1, the `ckan` user (equivalent to www-data) owned code and configuration files in the docker container and the `ckan` user had the permissions to use sudo. These issues allowed for code execution or privilege escalation if an arbitrary file write bug was available. Versions 2.9.9, 2.9.9-dev, 2.10.1, and 2.10.1-dev contain a patch. |
Affected by 7 other vulnerabilities. Affected by 8 other vulnerabilities. |
|
VCID-q8zb-pgzr-rqgs
Aliases: CVE-2024-41674 GHSA-2rqw-cfhc-35fh |
Affected by 3 other vulnerabilities. |
|
|
VCID-t3gx-x14x-2bf9
Aliases: CVE-2023-50248 GHSA-7fgc-89cx-w8j5 |
Improper Handling of Length Parameter Inconsistency CKAN is an open-source data management system for powering data hubs and data portals. Starting in version 2.0.0 and prior to versions 2.9.10 and 2.10.3, when submitting a POST request to the `/dataset/new` endpoint (including either the auth cookie or the `Authorization` header) with a specially-crafted field, an attacker can create an out-of-memory error in the hosting server. To trigger this error, the attacker need to have permissions to create or edit datasets. This vulnerability has been patched in CKAN 2.10.3 and 2.9.10. |
Affected by 6 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-w6cg-ubux-qbfg
Aliases: CVE-2022-43685 GHSA-m2xp-jxfg-qq6g PYSEC-2022-42987 |
CKAN through 2.9.6 account takeovers by unauthenticated users when an existing user id is sent via an HTTP POST request. This allows a user to take over an existing account including superuser accounts. |
Affected by 9 other vulnerabilities. |
|
VCID-wc53-cp3f-2faa
Aliases: CVE-2024-43371 GHSA-g9ph-j5vj-f8wm |
Affected by 3 other vulnerabilities. |
|
|
VCID-zqyk-rq9a-eked
Aliases: CVE-2023-22746 GHSA-pr8j-v4c8-h62x |
Use of Insufficiently Random Values CKAN is an open-source DMS (data management system) for powering data hubs and data portals. When creating a new container based on one of the Docker images listed below, the same secret key was being used by default. If the users didn't set a custom value via environment variables in the `.env` file, that key was shared across different CKAN instances, making it easy to forge authentication requests. Users overriding the default secret key in their own `.env` file are not affected by this issue. Note that the legacy images (ckan/ckan) located in the main CKAN repo are not affected by this issue. The affected images are ckan/ckan-docker, (ckan/ckan-base images), okfn/docker-ckan (openknowledge/ckan-base and openknowledge/ckan-dev images) keitaroinc/docker-ckan (keitaro/ckan images). |
Affected by 10 other vulnerabilities. Affected by 9 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||