Lucene search

K
veracodeVeracode Vulnerability DatabaseVERACODE:48516
HistoryAug 22, 2024 - 9:47 a.m.

Server Side Request Forgery (SSRF)

2024-08-2209:47:15
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
6
ssrf vulnerability
ckan
url validation
http request
remote resources
malicious user

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.9

Confidence

High

EPSS

0.001

Percentile

18.8%

ckan is vulnerable to Server Side Request Forgery (SSRF). The vulnerability is caused due to CKAN plugins like (XLoader, DataPusher, Resource proxy and ckanext-archiver) not validating the resource URLs while making HTTP request to access the remote resources. This can lead to a malicious (or unaware) user creating a resource with a URL pointing to a place where they should not have access to.

Affected configurations

Vulners
Node
veracodeckanRange2.10.42.10.4
OR
veracodeckanRange2.10.42.10.4
VendorProductVersionCPE
veracodeckan*cpe:2.3:a:veracode:ckan:*:*:*:*:*:*:*:*

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.9

Confidence

High

EPSS

0.001

Percentile

18.8%