CVE-2024-27097 – ckan

Package

Manager: pip
Name: ckan
Vulnerable Version: >=0 <2.9.11 || >=2.10.0 <2.10.4

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00261 pctl0.49265

Details

Potential log injection in reset user endpoint in CKAN A user endpoint didn't perform filtering on an incoming parameter, which was added directly to the application log. This could lead to an attacker injecting false log entries or corrupt the log file format. ### Patches This has been fixed in the CKAN 2.9.11 and 2.10.4 versions ### Workarounds Override the `/user/reset` endpoint to filter the `id` parameter in order to exclude newlines

Metadata

Created: 2024-03-13T15:30:03Z
Modified: 2024-03-13T22:28:40Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-8g38-3m6v-232j/GHSA-8g38-3m6v-232j.json
CWE IDs: ["CWE-117", "CWE-532"]
Alternative ID: GHSA-8g38-3m6v-232j
Finding: F059
Auto approve: 1