Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS03ZmdjLTg5Y3gtdzhqNc4AA3v5

Out of memory error when submitting the dataset form with a specially-crafted field

Impact

When submitting a POST request to the /dataset/new endpoint (including either the auth cookie or the Authorization header) with a specially-crafted field, an attacker can create an out-of-memory error in the hosting server.

To trigger this error the user needs to have permissions to create or edit datasets.

Patches

This vulnerability has been patched in CKAN 2.10.3 and 2.9.10

Permalink: https://github.com/advisories/GHSA-7fgc-89cx-w8j5
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03ZmdjLTg5Y3gtdzhqNc4AA3v5
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 5 months ago
Updated: 5 months ago

CVSS Score: 4.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H

Identifiers: GHSA-7fgc-89cx-w8j5, CVE-2023-50248
References:

Repository: https://github.com/ckan/ckan
Blast Radius: 6.2

Affected Packages

pypi:ckan

Dependent packages: 4
Dependent repositories: 24
Downloads: 1,870 last month
Affected Version Ranges: >= 2.10.0, < 2.10.3, >= 2.0, < 2.9.10
Fixed in: 2.10.3, 2.9.10
All affected versions: 2.0.1, 2.0.7, 2.0.8, 2.1.1, 2.1.5, 2.1.6, 2.2.1, 2.2.3, 2.2.4, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.8, 2.4.9, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.6, 2.5.7, 2.5.8, 2.5.9, 2.6.0, 2.6.1, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.6.8, 2.6.9, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.7.6, 2.7.7, 2.7.8, 2.7.9, 2.7.10, 2.7.11, 2.7.12, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.8.6, 2.8.7, 2.8.8, 2.8.9, 2.8.10, 2.8.11, 2.8.12, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.9.4, 2.9.5, 2.9.6, 2.9.7, 2.9.8, 2.9.9, 2.10.0, 2.10.1
All unaffected versions: 1.3.2, 1.3.3, 1.4.1, 1.4.2, 1.4.3, 1.5.1, 1.7.1, 2.9.10, 2.9.11, 2.10.3, 2.10.4