Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS04ZzM4LTNtNnYtMjMyas4AA58k

Potential log injection in reset user endpoint in CKAN

A user endpoint didn't perform filtering on an incoming parameter, which was added directly to the application log. This could lead to an attacker injecting false log entries or corrupt the log file format.

Patches

This has been fixed in the CKAN 2.9.11 and 2.10.4 versions

Workarounds

Override the /user/reset endpoint to filter the id parameter in order to exclude newlines

Permalink: https://github.com/advisories/GHSA-8g38-3m6v-232j
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04ZzM4LTNtNnYtMjMyas4AA58k
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 months ago
Updated: about 2 months ago

CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Identifiers: GHSA-8g38-3m6v-232j, CVE-2024-27097
References:

Repository: https://github.com/ckan/ckan
Blast Radius: 5.9

Affected Packages

pypi:ckan

Dependent packages: 4
Dependent repositories: 24
Downloads: 1,724 last month
Affected Version Ranges: >= 2.10.0, < 2.10.4, < 2.9.11
Fixed in: 2.10.4, 2.9.11
All affected versions: 1.3.2, 1.3.3, 1.4.1, 1.4.2, 1.4.3, 1.5.1, 1.7.1, 2.0.1, 2.0.7, 2.0.8, 2.1.1, 2.1.5, 2.1.6, 2.2.1, 2.2.3, 2.2.4, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.8, 2.4.9, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.6, 2.5.7, 2.5.8, 2.5.9, 2.6.0, 2.6.1, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.6.8, 2.6.9, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.7.6, 2.7.7, 2.7.8, 2.7.9, 2.7.10, 2.7.11, 2.7.12, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.8.6, 2.8.7, 2.8.8, 2.8.9, 2.8.10, 2.8.11, 2.8.12, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.9.4, 2.9.5, 2.9.6, 2.9.7, 2.9.8, 2.9.9, 2.9.10, 2.10.0, 2.10.1, 2.10.3
All unaffected versions: 2.9.11, 2.10.4