CVE-2024-41674 CKAN may leak Solr credentials via error message in package_search action

2024-08-2114:31:26

CWE-209

GitHub_M

www.cve.org

ckan

solr

credentials

leakage

patched

2.10.5

2.11.0

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

17.7%

JSON

CKAN is an open-source data management system for powering data hubs and data portals. If there were connection issues with the Solr server, the internal Solr URL (potentially including credentials) could be leaked to package_search calls as part of the returned error message. This has been patched in CKAN 2.10.5 and 2.11.0.

CNA Affected

[
  {
    "vendor": "ckan",
    "product": "ckan",
    "versions": [
      {
        "version": ">= 2.0, < 2.10.5",
        "status": "affected"
      }
    ]
  }
]