Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1tMnhwLWp4ZmctcXE2Z84AAv_x
CKAN contains Improper Authentication leading to account takeover
CKAN through 2.9.6 account takeovers by unauthenticated users when an existing user id is sent via an HTTP POST request. This allows a user to take over an existing account including superuser accounts.
Permalink: https://github.com/advisories/GHSA-m2xp-jxfg-qq6gJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tMnhwLWp4ZmctcXE2Z84AAv_x
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: over 1 year ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-m2xp-jxfg-qq6g, CVE-2022-43685
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-43685
- https://ckan.org/
- https://ckan.org/blog/get-latest-patch-releases-your-ckan-site-october-2022
- https://github.com/advisories/GHSA-m2xp-jxfg-qq6g
Affected Packages
pypi:ckan
Dependent packages: 4Dependent repositories: 24
Downloads: 1,870 last month
Affected Version Ranges: < 2.9.7
Fixed in: 2.9.7
All affected versions: 1.3.2, 1.3.3, 1.4.1, 1.4.2, 1.4.3, 1.5.1, 1.7.1, 2.0.1, 2.0.7, 2.0.8, 2.1.1, 2.1.5, 2.1.6, 2.2.1, 2.2.3, 2.2.4, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.8, 2.4.9, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.6, 2.5.7, 2.5.8, 2.5.9, 2.6.0, 2.6.1, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.6.8, 2.6.9, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.7.6, 2.7.7, 2.7.8, 2.7.9, 2.7.10, 2.7.11, 2.7.12, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.8.6, 2.8.7, 2.8.8, 2.8.9, 2.8.10, 2.8.11, 2.8.12, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.9.4, 2.9.5, 2.9.6
All unaffected versions: 2.9.7, 2.9.8, 2.9.9, 2.9.10, 2.9.11, 2.10.0, 2.10.1, 2.10.3, 2.10.4