Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-r7ac-xj5b-d7gg
Vulnerability ID VCID-r7ac-xj5b-d7gg
Aliases CVE-2024-27097
GHSA-8g38-3m6v-232j
Summary Potential log injection in reset user endpoint in CKAN A user endpoint didn't perform filtering on an incoming parameter, which was added directly to the application log. This could lead to an attacker injecting false log entries or corrupt the log file format. ### Patches This has been fixed in the CKAN 2.9.11 and 2.10.4 versions ### Workarounds Override the `/user/reset` endpoint to filter the `id` parameter in order to exclude newlines
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-117 Improper Output Neutralization for Logs
CWE-532 Insertion of Sensitive Information into Log File
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
There are no known severity scores.
Reference id Reference type URL
https://docs.ckan.org/en/2.10/changelog.html#v-2-10-4-2024-03-13
https://github.com/ckan/ckan
https://github.com/ckan/ckan/commit/5fa133e7e9019573066455b5d442e93c62b3fc93
https://github.com/ckan/ckan/commit/81b56c55e5e3651d7fcf9642cd5a489a9b62212c
https://github.com/ckan/ckan/commit/d81f411bff2da7347c343a83e17f5814475b5b64
CVE-2024-27097 https://nvd.nist.gov/vuln/detail/CVE-2024-27097
GHSA-8g38-3m6v-232j https://github.com/advisories/GHSA-8g38-3m6v-232j
GHSA-8g38-3m6v-232j https://github.com/ckan/ckan/security/advisories/GHSA-8g38-3m6v-232j
No exploits are available.
There are no known vectors.

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2026-06-02T04:47:21.914943+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/ckan/CVE-2024-27097.yml 38.6.0