CVE-2024-27097

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-27097

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-27097.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-27097

Aliases

GHSA-8g38-3m6v-232j

Published

2024-03-13T21:15:58Z

Modified

2024-10-12T11:20:41.306510Z

Summary

[none]

Details

A user endpoint didn't perform filtering on an incoming parameter, which was added directly to the application log. This could lead to an attacker injecting false log entries or corrupt the log file format. This has been fixed in the CKAN versions 2.9.11 and 2.10.4. Users are advised to upgrade. Users unable to upgrade should override the /user/reset endpoint to filter the id parameter in order to exclude newlines.

References

Affected packages

Git / github.com/ckan/ckan

Affected ranges

Type: GIT
Repo: https://github.com/ckan/ckan
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

81b56c55e5e3651d7fcf9642cd5a489a9b62212c

Affected versions

ckan-1.*

ckan-1.3.3b

ckan-1.4

ckan-1.4.1

ckan-1.4.2

ckan-1.4.3

ckan-1.5

ckan-1.5.1

ckan-1.6

ckan-1.7

demo-0.*

demo-0.1

demo-0.2