Search for packages
| purl | pkg:pypi/ckan@2.7.8 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-6epn-ddfg-8fe9
Aliases: CVE-2023-32321 GHSA-446m-hmmm-hm8m |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in ckan. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-mfpa-jdxh-vfd3
Aliases: CVE-2023-32696 GHSA-c74x-xfvr-x5wg |
Improper Privilege Management CKAN is an open-source data management system for powering data hubs and data portals. Prior to versions 2.9.9 and 2.10.1, the `ckan` user (equivalent to www-data) owned code and configuration files in the docker container and the `ckan` user had the permissions to use sudo. These issues allowed for code execution or privilege escalation if an arbitrary file write bug was available. Versions 2.9.9, 2.9.9-dev, 2.10.1, and 2.10.1-dev contain a patch. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-t3gx-x14x-2bf9
Aliases: CVE-2023-50248 GHSA-7fgc-89cx-w8j5 |
Improper Handling of Length Parameter Inconsistency CKAN is an open-source data management system for powering data hubs and data portals. Starting in version 2.0.0 and prior to versions 2.9.10 and 2.10.3, when submitting a POST request to the `/dataset/new` endpoint (including either the auth cookie or the `Authorization` header) with a specially-crafted field, an attacker can create an out-of-memory error in the hosting server. To trigger this error, the attacker need to have permissions to create or edit datasets. This vulnerability has been patched in CKAN 2.10.3 and 2.9.10. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-w6cg-ubux-qbfg
Aliases: CVE-2022-43685 GHSA-m2xp-jxfg-qq6g PYSEC-2022-42987 |
CKAN through 2.9.6 account takeovers by unauthenticated users when an existing user id is sent via an HTTP POST request. This allows a user to take over an existing account including superuser accounts. |
Affected by 3 other vulnerabilities. |
|
VCID-zqyk-rq9a-eked
Aliases: CVE-2023-22746 GHSA-pr8j-v4c8-h62x |
Use of Insufficiently Random Values CKAN is an open-source DMS (data management system) for powering data hubs and data portals. When creating a new container based on one of the Docker images listed below, the same secret key was being used by default. If the users didn't set a custom value via environment variables in the `.env` file, that key was shared across different CKAN instances, making it easy to forge authentication requests. Users overriding the default secret key in their own `.env` file are not affected by this issue. Note that the legacy images (ckan/ckan) located in the main CKAN repo are not affected by this issue. The affected images are ckan/ckan-docker, (ckan/ckan-base images), okfn/docker-ckan (openknowledge/ckan-base and openknowledge/ckan-dev images) keitaroinc/docker-ckan (keitaro/ckan images). |
Affected by 4 other vulnerabilities. Affected by 3 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||