GHSA-8g38-3m6v-232j
Suggest an improvement- Source
- https://github.com/advisories/GHSA-8g38-3m6v-232j
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-8g38-3m6v-232j/GHSA-8g38-3m6v-232j.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-8g38-3m6v-232j
- Aliases
- Published
- 2024-03-13T15:30:03Z
- Modified
- 2024-03-13T22:45:50.745161Z
- Severity
-
- 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- Potential log injection in reset user endpoint in CKAN
- Details
-
A user endpoint didn't perform filtering on an incoming parameter, which was added directly to the application log. This could lead to an attacker injecting false log entries or corrupt the log file format.
Patches
This has been fixed in the CKAN 2.9.11 and 2.10.4 versions
Workarounds
Override the
/user/resetendpoint to filter theidparameter in order to exclude newlines - Database specific
{ "nvd_published_at": "2024-03-13T21:15:58Z", "cwe_ids": [ "CWE-117", "CWE-532" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-03-13T15:30:03Z" }- References
-
- https://github.com/ckan/ckan/security/advisories/GHSA-8g38-3m6v-232j
- https://nvd.nist.gov/vuln/detail/CVE-2024-27097
- https://github.com/ckan/ckan/commit/5fa133e7e9019573066455b5d442e93c62b3fc93
- https://github.com/ckan/ckan/commit/81b56c55e5e3651d7fcf9642cd5a489a9b62212c
- https://github.com/ckan/ckan/commit/d81f411bff2da7347c343a83e17f5814475b5b64
- https://docs.ckan.org/en/2.10/changelog.html#v-2-10-4-2024-03-13
- https://github.com/ckan/ckan
Affected packages
PyPI / ckan
Package
- Name
- ckan
- View open source insights on deps.dev
- Purl
- pkg:pypi/ckan
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.9.11
Affected versions
0.*
0.3
0.4
0.5
0.6
0.7
0.8
0.11
1.*
1.0
1.1
1.2
1.3
1.3.2
1.3.3
1.4
1.4.1
1.4.2
1.4.3
1.4.3.1
1.5
1.5.1
1.6
1.7
1.7.1
1.8
2.*
2.0
2.0.1
2.0.7
2.0.8
2.1
2.1.1
2.1.5
2.1.6
2.2
2.2.1
2.2.3
2.2.4
2.3
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.4.5
2.4.8
2.4.9
2.5.0
2.5.1
2.5.2
2.5.3
2.5.4
2.5.6
2.5.7
2.5.8
2.5.9
2.6.0
2.6.1
2.6.3
2.6.4
2.6.5
2.6.6
2.6.7
2.6.8
2.6.9
2.7.0
2.7.1
2.7.2
2.7.3
2.7.4
2.7.5
2.7.6
2.7.7
2.7.8
2.7.9
2.7.10
2.7.11
2.7.12
2.8.0
2.8.1
2.8.2
2.8.3
2.8.4
2.8.5
2.8.6
2.8.7
2.8.8
2.8.9
2.8.10
2.8.11
2.8.12
2.9.0
2.9.1
2.9.2
2.9.3
2.9.4
2.9.5
2.9.6
2.9.7
2.9.8
2.9.9
2.9.10
PyPI / ckan
Package
- Name
- ckan
- View open source insights on deps.dev
- Purl
- pkg:pypi/ckan