ckan 2.0.8 vulnerabilities

Known vulnerabilities in the ckan package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
H Cross-site Scripting (XSS) ckan is a world’s leading Open Source data portal platform. It powers dozens of Open Data portals around the world, including data.gov, open.canada.ca and europeandataportal.eu but also regional, research and community organizations. It makes easy to publish, share and find data online and is fully customizable via extensions and plugins. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via user-uploaded images in group/org and user profiles. An attacker can execute arbitrary scripts in the context of the user's browser session by uploading a specially crafted file. Note: This is only exploitable if the user has the ability to upload files and the file types are not restricted by the site's configuration. How to fix Cross-site Scripting (XSS)? Upgrade `ckan` to version 2.10.7, 2.11.2 or higher.	[,2.10.7)[2.11.0,2.11.2)
M Information Exposure Through an Error Message ckan is a world’s leading Open Source data portal platform. It powers dozens of Open Data portals around the world, including data.gov, open.canada.ca and europeandataportal.eu but also regional, research and community organizations. It makes easy to publish, share and find data online and is fully customizable via extensions and plugins. Affected versions of this package are vulnerable to Information Exposure Through an Error Message due to the error handling mechanism in the `package_search` action. An attacker can obtain sensitive information by triggering connection issues with the Solr server, which results in the internal Solr URL, potentially including credentials, being leaked in the error message. How to fix Information Exposure Through an Error Message? Upgrade `ckan` to version 2.10.5 or higher.	[2.0,2.10.5)
M Server-Side Request Forgery (SSRF) ckan is a world’s leading Open Source data portal platform. It powers dozens of Open Data portals around the world, including data.gov, open.canada.ca and europeandataportal.eu but also regional, research and community organizations. It makes easy to publish, share and find data online and is fully customizable via extensions and plugins. Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF) due to missing checks via the use of CKAN plugins, including `XLoader,` `DataPusher,` `Resource proxy`, and `context-archiver,` that download content of local or remote files using the resources URLs. An attacker can create a resource with a URL pointing to unauthorized locations and potentially retrieve restricted data. How to fix Server-Side Request Forgery (SSRF)? Upgrade `ckan` to version 2.10.5 or higher.	[,2.10.5)
M Improper Output Neutralization for Logs ckan is a world’s leading Open Source data portal platform. It powers dozens of Open Data portals around the world, including data.gov, open.canada.ca and europeandataportal.eu but also regional, research and community organizations. It makes easy to publish, share and find data online and is fully customizable via extensions and plugins. Affected versions of this package are vulnerable to Improper Output Neutralization for Logs due to the user endpoint not performing filtering on an incoming parameter, which was added directly to the application log. An attacker can inject false log entries or corrupt the log file format by sending crafted input. How to fix Improper Output Neutralization for Logs? Upgrade `ckan` to version 2.9.11, 2.10.4 or higher.	[,2.9.11)[2.10.0,2.10.4)
M Improper Authorization ckan is a world’s leading Open Source data portal platform. It powers dozens of Open Data portals around the world, including data.gov, open.canada.ca and europeandataportal.eu but also regional, research and community organizations. It makes easy to publish, share and find data online and is fully customizable via extensions and plugins. Affected versions of this package are vulnerable to Improper Authorization such that the `ckan` user (equivalent to www-data) owns code and configuration files in the docker container and has the permissions to use sudo. These issues allow an attacker to perform code execution or privilege escalation if an arbitrary file write bug was available. How to fix Improper Authorization? Upgrade `ckan` to version 2.9.9, 2.10.1 or higher.	[,2.9.9)[2.10.0,2.10.1)
M Improper Handling of Length Parameter Inconsistency ckan is a world’s leading Open Source data portal platform. It powers dozens of Open Data portals around the world, including data.gov, open.canada.ca and europeandataportal.eu but also regional, research and community organizations. It makes easy to publish, share and find data online and is fully customizable via extensions and plugins. Affected versions of this package are vulnerable to Improper Handling of Length Parameter Inconsistency via the `/dataset/new` endpoint when submitting a POST request with a specially-crafted field. An attacker can create an out-of-memory error on the hosting server by submitting a malicious payload. Note: This is only exploitable if the user has permissions to create or edit datasets. How to fix Improper Handling of Length Parameter Inconsistency? Upgrade `ckan` to version 2.9.10, 2.10.3 or higher.	[2.0,2.9.10)[2.10.0,2.10.3)
H Arbitrary File Upload ckan is a world’s leading Open Source data portal platform. It powers dozens of Open Data portals around the world, including data.gov, open.canada.ca and europeandataportal.eu but also regional, research and community organizations. It makes easy to publish, share and find data online and is fully customizable via extensions and plugins. Affected versions of this package are vulnerable to Arbitrary File Upload. A user with permissions to create or edit a dataset can upload a resource with a specially crafted resource ID to write the uploaded file in an arbitrary location using path traversal. The arbitrary file write is in the `resource_create` and `package_update` actions, using the `ResourceUploader` object. It is also reachable via `package_create`, `package_revise`, and `package_patch` via calls to `package_update`. Arbitrary files can also be read this way, if the user knows the ID of the desired file. This may enable remote code execution via Beaker's insecure pickle loading when configured to use the file session store backend. Denial of service may be possible by passing a resource ID of excessive length. How to fix Arbitrary File Upload? Upgrade `ckan` to version 2.9.9, 2.10.1 or higher.	[,2.9.9)[2.10.0,2.10.1)
M Access Restriction Bypass ckan is a world’s leading Open Source data portal platform. It powers dozens of Open Data portals around the world, including data.gov, open.canada.ca and europeandataportal.eu but also regional, research and community organizations. It makes easy to publish, share and find data online and is fully customizable via extensions and plugins. Affected versions of this package are vulnerable to Access Restriction Bypass. When creating a new container based on one of the Docker images listed below, the same secret key was being used by default. If the users didn't set a custom value via environment variables in the `.env` file, that key was shared across different CKAN instances, making it easy to forge authentication requests. The affected images are: `ckan/ckan-docker`, (`ckan/ckan-base` images) `okfn/docker-ckan` (`openknowledge/ckan-base` and `openknowledge/ckan-dev` images) `keitaroinc/docker-ckan` (keitaro/ckan images). How to fix Access Restriction Bypass? Upgrade `ckan` to version 2.8.12, 2.9.7 or higher.	[,2.8.12)[2.9.0,2.9.7)
H Improper Access Control ckan is a world’s leading Open Source data portal platform. It powers dozens of Open Data portals around the world, including data.gov, open.canada.ca and europeandataportal.eu but also regional, research and community organizations. It makes easy to publish, share and find data online and is fully customizable via extensions and plugins. Affected versions of this package are vulnerable to Improper Access Control when an existing user id is sent via an HTTP POST request. This allows a user to take over an existing account including superuser accounts. How to fix Improper Access Control? Upgrade `ckan` to version 2.9.7 or higher.	[,2.9.7)
M Cross-site Scripting (XSS) ckan is a world’s leading Open Source data portal platform. It powers dozens of Open Data portals around the world, including data.gov, open.canada.ca and europeandataportal.eu but also regional, research and community organizations. It makes easy to publish, share and find data online and is fully customizable via extensions and plugins. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `autocomplete` module. How to fix Cross-site Scripting (XSS)? Upgrade `ckan` to version 2.6.9, 2.7.7, 2.8.4 or higher.	[,2.6.9)[2.7.0,2.7.7)[2.8.0,2.8.4)

Vulnerability

Vulnerable Version

Cross-site Scripting (XSS)

ckan is a world’s leading Open Source data portal platform.

It powers dozens of Open Data portals around the world, including data.gov, open.canada.ca and europeandataportal.eu but also regional, research and community organizations.

It makes easy to publish, share and find data online and is fully customizable via extensions and plugins.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via user-uploaded images in group/org and user profiles. An attacker can execute arbitrary scripts in the context of the user's browser session by uploading a specially crafted file.

Note:

This is only exploitable if the user has the ability to upload files and the file types are not restricted by the site's configuration.

How to fix Cross-site Scripting (XSS)?

Upgrade ckan to version 2.10.7, 2.11.2 or higher.

[,2.10.7)[2.11.0,2.11.2)

Information Exposure Through an Error Message

ckan is a world’s leading Open Source data portal platform.

It powers dozens of Open Data portals around the world, including data.gov, open.canada.ca and europeandataportal.eu but also regional, research and community organizations.

It makes easy to publish, share and find data online and is fully customizable via extensions and plugins.

Affected versions of this package are vulnerable to Information Exposure Through an Error Message due to the error handling mechanism in the package_search action. An attacker can obtain sensitive information by triggering connection issues with the Solr server, which results in the internal Solr URL, potentially including credentials, being leaked in the error message.

How to fix Information Exposure Through an Error Message?

Upgrade ckan to version 2.10.5 or higher.

[2.0,2.10.5)

Server-Side Request Forgery (SSRF)

ckan is a world’s leading Open Source data portal platform.

It powers dozens of Open Data portals around the world, including data.gov, open.canada.ca and europeandataportal.eu but also regional, research and community organizations.

It makes easy to publish, share and find data online and is fully customizable via extensions and plugins.

Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF) due to missing checks via the use of CKAN plugins, including XLoader, DataPusher, Resource proxy, and context-archiver, that download content of local or remote files using the resources URLs. An attacker can create a resource with a URL pointing to unauthorized locations and potentially retrieve restricted data.

How to fix Server-Side Request Forgery (SSRF)?

Upgrade ckan to version 2.10.5 or higher.

[,2.10.5)

Improper Output Neutralization for Logs

ckan is a world’s leading Open Source data portal platform.

It powers dozens of Open Data portals around the world, including data.gov, open.canada.ca and europeandataportal.eu but also regional, research and community organizations.

It makes easy to publish, share and find data online and is fully customizable via extensions and plugins.

Affected versions of this package are vulnerable to Improper Output Neutralization for Logs due to the user endpoint not performing filtering on an incoming parameter, which was added directly to the application log. An attacker can inject false log entries or corrupt the log file format by sending crafted input.

How to fix Improper Output Neutralization for Logs?

Upgrade ckan to version 2.9.11, 2.10.4 or higher.

[,2.9.11)[2.10.0,2.10.4)

Improper Authorization

ckan is a world’s leading Open Source data portal platform.

It powers dozens of Open Data portals around the world, including data.gov, open.canada.ca and europeandataportal.eu but also regional, research and community organizations.

It makes easy to publish, share and find data online and is fully customizable via extensions and plugins.

Affected versions of this package are vulnerable to Improper Authorization such that the ckan user (equivalent to www-data) owns code and configuration files in the docker container and has the permissions to use sudo.

These issues allow an attacker to perform code execution or privilege escalation if an arbitrary file write bug was available.

How to fix Improper Authorization?

Upgrade ckan to version 2.9.9, 2.10.1 or higher.

[,2.9.9)[2.10.0,2.10.1)

Improper Handling of Length Parameter Inconsistency

ckan is a world’s leading Open Source data portal platform.

It powers dozens of Open Data portals around the world, including data.gov, open.canada.ca and europeandataportal.eu but also regional, research and community organizations.

It makes easy to publish, share and find data online and is fully customizable via extensions and plugins.

Affected versions of this package are vulnerable to Improper Handling of Length Parameter Inconsistency via the /dataset/new endpoint when submitting a POST request with a specially-crafted field. An attacker can create an out-of-memory error on the hosting server by submitting a malicious payload.

Note: This is only exploitable if the user has permissions to create or edit datasets.

How to fix Improper Handling of Length Parameter Inconsistency?

Upgrade ckan to version 2.9.10, 2.10.3 or higher.

[2.0,2.9.10)[2.10.0,2.10.3)

Arbitrary File Upload

ckan is a world’s leading Open Source data portal platform.

It powers dozens of Open Data portals around the world, including data.gov, open.canada.ca and europeandataportal.eu but also regional, research and community organizations.

It makes easy to publish, share and find data online and is fully customizable via extensions and plugins.

Affected versions of this package are vulnerable to Arbitrary File Upload. A user with permissions to create or edit a dataset can upload a resource with a specially crafted resource ID to write the uploaded file in an arbitrary location using path traversal. The arbitrary file write is in the resource_create and package_update actions, using the ResourceUploader object. It is also reachable via package_create, package_revise, and package_patch via calls to package_update. Arbitrary files can also be read this way, if the user knows the ID of the desired file.

This may enable remote code execution via Beaker's insecure pickle loading when configured to use the file session store backend.

Denial of service may be possible by passing a resource ID of excessive length.

How to fix Arbitrary File Upload?

Upgrade ckan to version 2.9.9, 2.10.1 or higher.

[,2.9.9)[2.10.0,2.10.1)

Access Restriction Bypass

ckan is a world’s leading Open Source data portal platform.

It powers dozens of Open Data portals around the world, including data.gov, open.canada.ca and europeandataportal.eu but also regional, research and community organizations.

It makes easy to publish, share and find data online and is fully customizable via extensions and plugins.

Affected versions of this package are vulnerable to Access Restriction Bypass. When creating a new container based on one of the Docker images listed below, the same secret key was being used by default. If the users didn't set a custom value via environment variables in the .env file, that key was shared across different CKAN instances, making it easy to forge authentication requests.

The affected images are:

ckan/ckan-docker, (ckan/ckan-base images)
okfn/docker-ckan (openknowledge/ckan-base and openknowledge/ckan-dev images)
keitaroinc/docker-ckan (keitaro/ckan images).

How to fix Access Restriction Bypass?

Upgrade ckan to version 2.8.12, 2.9.7 or higher.

[,2.8.12)[2.9.0,2.9.7)

Improper Access Control

ckan is a world’s leading Open Source data portal platform.

It powers dozens of Open Data portals around the world, including data.gov, open.canada.ca and europeandataportal.eu but also regional, research and community organizations.

It makes easy to publish, share and find data online and is fully customizable via extensions and plugins.

Affected versions of this package are vulnerable to Improper Access Control when an existing user id is sent via an HTTP POST request. This allows a user to take over an existing account including superuser accounts.

How to fix Improper Access Control?

Upgrade ckan to version 2.9.7 or higher.

[,2.9.7)

Cross-site Scripting (XSS)

ckan is a world’s leading Open Source data portal platform.

It powers dozens of Open Data portals around the world, including data.gov, open.canada.ca and europeandataportal.eu but also regional, research and community organizations.

It makes easy to publish, share and find data online and is fully customizable via extensions and plugins.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the autocomplete module.

How to fix Cross-site Scripting (XSS)?

Upgrade ckan to version 2.6.9, 2.7.7, 2.8.4 or higher.

[,2.6.9)[2.7.0,2.7.7)[2.8.0,2.8.4)

ckan@2.0.8 vulnerabilities

CKAN Software

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?