Ckan Security Vulnerabilities and Issues — Ckan CVE List

Lucene search

OkfnCkan

10 matches found

CVE•added 2023/05/26 11:15 p.m.•99 views

CVE-2023-32321

CKAN is an open-source data management system for powering data hubs and data portals. Multiple vulnerabilities have been discovered in Ckan which may lead to remote code execution. An arbitrary file write in resource_create and package_update actions, using the ResourceUploader object. Also reacha...

9.8CVSS10AI score0.0281EPSS

CVE•added 2021/12/01 2:15 p.m.•63 views

CVE-2021-25967

In CKAN, versions 2.9.0 to 2.9.3 are affected by a stored XSS vulnerability via SVG file upload of users’ profile picture. This allows low privileged application users to store malicious scripts in their profile picture. These scripts are executed in a victim’s browser when they open the malicious ...

5.4CVSS5AI score0.00206EPSS

CVE•added 2022/11/22 1:15 a.m.•51 views

CVE-2022-43685

CKAN through 2.9.6 account takeovers by unauthenticated users when an existing user id is sent via an HTTP POST request. This allows a user to take over an existing account including superuser accounts.

8.8CVSS8.6AI score0.00214EPSS

CVE•added 2023/05/30 7:15 p.m.•50 views

CVE-2023-32696

CKAN is an open-source data management system for powering data hubs and data portals. Prior to versions 2.9.9 and 2.10.1, the ckan user (equivalent to www-data) owned code and configuration files in the docker container and the ckan user had the permissions to use sudo. These issues allowed for co...

8.8CVSS9.1AI score0.0021EPSS

CVE•added 2023/02/03 10:15 p.m.•41 views

CVE-2023-22746

CKAN is an open-source DMS (data management system) for powering data hubs and data portals. When creating a new container based on one of the Docker images listed below, the same secret key was being used by default. If the users didn't set a custom value via environment variables in the .env file...

8.6CVSS7.9AI score0.00075EPSS

CVE•added 2024/03/13 9:15 p.m.•41 views

CVE-2024-27097

A user endpoint didn't perform filtering on an incoming parameter, which was added directly to the application log. This could lead to an attacker injecting false log entries or corrupt the log file format. This has been fixed in the CKAN versions 2.9.11 and 2.10.4. Users are advised to upgrade. Us...

5.3CVSS4.4AI score0.00341EPSS

CVE•added 2024/08/21 3:15 p.m.•39 views

CVE-2024-41674

CKAN is an open-source data management system for powering data hubs and data portals. If there were connection issues with the Solr server, the internal Solr URL (potentially including credentials) could be leaked to package_search calls as part of the returned error message. This has been patched...

5.3CVSS5.3AI score0.00153EPSS

CVE•added 2024/08/21 3:15 p.m.•39 views

CVE-2024-43371

CKAN is an open-source data management system for powering data hubs and data portals. There are a number of CKAN plugins, including XLoader, DataPusher, Resource proxy and ckanext-archiver, that work by downloading the contents of local or remote files in order to perform some actions with their c...

6.5CVSS4.8AI score0.00085EPSS

CVE•added 2024/08/21 3:15 p.m.•37 views

CVE-2024-41675

CKAN is an open-source data management system for powering data hubs and data portals. The Datatables view plugin did not properly escape record data coming from the DataStore, leading to a potential XSS vector. Sites running CKAN >= 2.7.0 with the datatables_view plugin activated. This is a plu...

6.8CVSS6.4AI score0.00296EPSS

CVE•added 2023/12/13 9:15 p.m.•36 views

CVE-2023-50248

CKAN is an open-source data management system for powering data hubs and data portals. Starting in version 2.0.0 and prior to versions 2.9.10 and 2.10.3, when submitting a POST request to the /dataset/new endpoint (including either the auth cookie or the Authorization header) with a specially-craft...

6.5CVSS5.4AI score0.00189EPSS