Lucene search

Veracode Vulnerability DatabaseVERACODE:48516

HistoryAug 22, 2024 - 9:47 a.m.

Server Side Request Forgery (SSRF)

2024-08-2209:47:15

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

ssrf vulnerability

ckan

url validation

http request

remote resources

malicious user

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.9

Confidence

High

EPSS

0.001

Percentile

18.8%

JSON

ckan is vulnerable to Server Side Request Forgery (SSRF). The vulnerability is caused due to CKAN plugins like (XLoader, DataPusher, Resource proxy and ckanext-archiver) not validating the resource URLs while making HTTP request to access the remote resources. This can lead to a malicious (or unaware) user creating a resource with a URL pointing to a place where they should not have access to.

References

github.com/ckan/ckan/commit/382beaec98cb331f2a030459ef043c50eaf5ad53

github.com/ckan/ckan/commit/8601183cc2fc87277ea5b33ff75c3a5610812ab5

github.com/ckan/ckan/security/advisories/GHSA-g9ph-j5vj-f8wm

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.9

Confidence

High

EPSS

0.001

Percentile

18.8%

JSON

Related for VERACODE:48516