Headline

GHSA-8g38-3m6v-232j: Potential log injection in reset user endpoint in CKAN

A user endpoint didn’t perform filtering on an incoming parameter, which was added directly to the application log. This could lead to an attacker injecting false log entries or corrupt the log file format.

Patches

This has been fixed in the CKAN 2.9.11 and 2.10.4 versions

Workarounds

Override the /user/reset endpoint to filter the id parameter in order to exclude newlines

10 months ago

ghsa

Open in Source

#git

Package

pip ckan (pip)

Affected versions

< 2.9.11

>= 2.10.0, < 2.10.4

Patched versions

2.9.11

2.10.4

Description

Patches

This has been fixed in the CKAN 2.9.11 and 2.10.4 versions

Workarounds

Override the /user/reset endpoint to filter the id parameter in order to exclude newlines

References

GHSA-8g38-3m6v-232j
ckan/ckan@5fa133e
ckan/ckan@81b56c5
ckan/ckan@d81f411
https://docs.ckan.org/en/2.10/changelog.html#v-2-10-4-2024-03-13

amercader published to ckan/ckan

Mar 13, 2024

Published to the GitHub Advisory Database

Mar 13, 2024

Reviewed

Mar 13, 2024

Last updated

Mar 13, 2024

ghsa: Latest News

GHSA-7pq5-qcp6-mcww: CKAN has an XSS vector in user uploaded images in group/org and user profiles

5 hours ago

ghsa

GHSA-w3pj-wh35-fq8w: GeoTools Remote Code Execution (RCE) vulnerability in evaluating XPath expressions

7 hours ago

ghsa

GHSA-wc9m-r3v6-9p5h: Sparkle Signing Checks Bypass

1 day ago

ghsa

GHSA-w7wm-2425-7p2h: MarbleRun unauthenticated recovery allows Coordinator impersonation

1 day ago

ghsa

GHSA-mx2j-7cmv-353c: wasmvm: Malicious smart contract can slow down block production

1 day ago

ghsa