logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-43371 ckan

Package

Manager: pip
Name: ckan
Vulnerable Version: >=0 <2.10.5

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00085 pctl0.25551

Details

Potential access to sensitive URLs via CKAN extensions (SSRF) ### Impact There are a number of CKAN plugins, including [XLoader](https://github.com/ckan/ckanext-xloader), [DataPusher](https://github.com/ckan/datapusher), [Resource proxy](https://docs.ckan.org/en/latest/maintaining/data-viewer.html#resource-proxy) and [ckanext-archiver](https://github.com/ckan/ckanext-archiver/), that work by downloading the contents of local or remote files in order to perform some actions with their contents (e.g. pushing to the DataStore, streaming contents or saving a local copy). All of them use the resource URL, and there are currently no checks to limit what URLs can be requested. This means that a malicious (or unaware) user can create a resource with a URL pointing to a place where they should not have access in order for one of the previous tools to retrieve it (known as a [Server Side Request Forgery](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery)). ### Patches and Workarounds Users wanting to protect against these kinds of attacks can use one or a combination of the following approaches: * Use a separate HTTP proxy like [Squid](https://www.squid-cache.org/) that can be used to allow / disallow IPs, domains etc as needed, and make CKAN extensions aware of this setting via the [`ckan.download_proxy`](https://docs.ckan.org/en/latest/maintaining/configuration.html#ckan-download-proxy) config option. * Implement custom firewall rules to prevent access to restricted resources. * Use custom validators on the resource `url` field to block/allow certain domains or IPs. All latest versions of the plugins linked above support the `ckan.download_proxy` settings. Support for this setting in the Resource Proxy plugin was included in CKAN 2.10.5 and 2.11.0 ### References * [Blog post](https://feeding.cloud.geek.nz/posts/restricting-outgoing-webapp-requests-using-squid-proxy/) provides more details on how to configure a Squid proxy to prevent these issues

Metadata

Created: 2024-08-21T18:27:11Z
Modified: 2024-08-21T18:27:12Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-g9ph-j5vj-f8wm/GHSA-g9ph-j5vj-f8wm.json
CWE IDs: ["CWE-918"]
Alternative ID: GHSA-g9ph-j5vj-f8wm
Finding: F100
Auto approve: 1