Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS03ZmdjLTg5Y3gtdzhqNc4AA3v5

Out of memory error when submitting the dataset form with a specially-crafted field

Impact

When submitting a POST request to the /dataset/new endpoint (including either the auth cookie or the Authorization header) with a specially-crafted field, an attacker can create an out-of-memory error in the hosting server.

To trigger this error the user needs to have permissions to create or edit datasets.

Patches

This vulnerability has been patched in CKAN 2.10.3 and 2.9.10

Permalink: https://github.com/advisories/GHSA-7fgc-89cx-w8j5
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03ZmdjLTg5Y3gtdzhqNc4AA3v5
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 11 months ago
Updated: 11 months ago

CVSS Score: 4.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H

Identifiers: GHSA-7fgc-89cx-w8j5, CVE-2023-50248
References:

• https://github.com/ckan/ckan/security/advisories/GHSA-7fgc-89cx-w8j5
• https://nvd.nist.gov/vuln/detail/CVE-2023-50248
• https://github.com/ckan/ckan/commit/bd02018b65c5b81d7ede195d00d0fcbac3aa33be
• https://github.com/advisories/GHSA-7fgc-89cx-w8j5

Repository: https://github.com/ckan/ckan
Blast Radius: 6.2

Affected Packages