VulnerableCode Package Details - pkg:pypi/ckan@2.9.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-4w17-m7f2-9fek Aliases: CVE-2022-43685 PYSEC-2022-42987	CKAN through 2.9.6 account takeovers by unauthenticated users when an existing user id is sent via an HTTP POST request. This allows a user to take over an existing account including superuser accounts.	2.9.7 Affected by 0 other vulnerabilities.
VCID-we78-1vxg-xud1 Aliases: CVE-2021-25967 GHSA-6w9p-88qg-p3g3 PYSEC-2021-841	In CKAN, versions 2.9.0 to 2.9.3 are affected by a stored XSS vulnerability via SVG file upload of users’ profile picture. This allows low privileged application users to store malicious scripts in their profile picture. These scripts are executed in a victim’s browser when they open the malicious profile picture	2.9.4 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 2.10.0 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-yp8z-f7q6-gffb Aliases: CVE-2023-22746 GHSA-pr8j-v4c8-h62x	Use of Insufficiently Random Values CKAN is an open-source DMS (data management system) for powering data hubs and data portals. When creating a new container based on one of the Docker images listed below, the same secret key was being used by default. If the users didn't set a custom value via environment variables in the `.env` file, that key was shared across different CKAN instances, making it easy to forge authentication requests. Users overriding the default secret key in their own `.env` file are not affected by this issue. Note that the legacy images (ckan/ckan) located in the main CKAN repo are not affected by this issue. The affected images are ckan/ckan-docker, (ckan/ckan-base images), okfn/docker-ckan (openknowledge/ckan-base and openknowledge/ckan-dev images) keitaroinc/docker-ckan (keitaro/ckan images).	2.9.7 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-4w17-m7f2-9fek
Aliases:
CVE-2022-43685
PYSEC-2022-42987

CKAN through 2.9.6 account takeovers by unauthenticated users when an existing user id is sent via an HTTP POST request. This allows a user to take over an existing account including superuser accounts.

2.9.7
Affected by 0 other vulnerabilities.

VCID-we78-1vxg-xud1
Aliases:
CVE-2021-25967
GHSA-6w9p-88qg-p3g3
PYSEC-2021-841

In CKAN, versions 2.9.0 to 2.9.3 are affected by a stored XSS vulnerability via SVG file upload of users’ profile picture. This allows low privileged application users to store malicious scripts in their profile picture. These scripts are executed in a victim’s browser when they open the malicious profile picture

2.9.4
Affected by 1 other vulnerability.

2.10.0
Affected by 5 other vulnerabilities.

VCID-yp8z-f7q6-gffb
Aliases:
CVE-2023-22746
GHSA-pr8j-v4c8-h62x

Use of Insufficiently Random Values CKAN is an open-source DMS (data management system) for powering data hubs and data portals. When creating a new container based on one of the Docker images listed below, the same secret key was being used by default. If the users didn't set a custom value via environment variables in the `.env` file, that key was shared across different CKAN instances, making it easy to forge authentication requests. Users overriding the default secret key in their own `.env` file are not affected by this issue. Note that the legacy images (ckan/ckan) located in the main CKAN repo are not affected by this issue. The affected images are ckan/ckan-docker, (ckan/ckan-base images), okfn/docker-ckan (openknowledge/ckan-base and openknowledge/ckan-dev images) keitaroinc/docker-ckan (keitaro/ckan images).

2.9.7
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:43:56.059438+00:00	GitLab Importer	Affected by	VCID-yp8z-f7q6-gffb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/ckan/CVE-2023-22746.yml	38.6.0
2026-06-02T04:40:38.386863+00:00	GitLab Importer	Affected by	VCID-we78-1vxg-xud1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/ckan/CVE-2021-25967.yml	38.6.0
2026-06-02T04:18:02.539273+00:00	Pypa Importer	Affected by	VCID-4w17-m7f2-9fek	https://github.com/pypa/advisory-database/blob/main/vulns/ckan/PYSEC-2022-42987.yaml	38.6.0
2026-06-02T04:16:06.836288+00:00	Pypa Importer	Affected by	VCID-we78-1vxg-xud1	https://github.com/pypa/advisory-database/blob/main/vulns/ckan/PYSEC-2021-841.yaml	38.6.0