Ckan
CVE-2022-43685
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
CKAN through 2.9.6 account takeovers by unauthenticated users when an existing user id is sent via an HTTP POST request. This allows a user to take over an existing account including superuser accounts.
AnalysisAI
CKAN through 2.9.6 account takeovers by unauthenticated users when an existing user id is sent via an HTTP POST request. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Missing Authorization (CWE-862), which allows attackers to access resources or perform actions without proper authorization checks. CKAN through 2.9.6 account takeovers by unauthenticated users when an existing user id is sent via an HTTP POST request. This allows a user to take over an existing account including superuser accounts. Affected products include: Okfn Ckan. Version information: through 2.9.6.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement role-based access control, validate authorization on every request server-side, apply principle of least privilege.
CKAN is an open-source data management system for powering data hubs and data portals. Rated critical severity (CVSS 9.8
CKAN is an open-source data management system for powering data hubs and data portals. Rated high severity (CVSS 8.8), t
CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Rated high severity (CVSS 7
CKAN is an open-source data management system for powering data hubs and data portals. Rated medium severity (CVSS 6.5),
CKAN is an open-source data management system for powering data hubs and data portals. Rated medium severity (CVSS 6.5),
CKAN is an open-source data management system for powering data hubs and data portals. Rated medium severity (CVSS 6.1),
In CKAN, versions 2.9.0 to 2.9.3 are affected by a stored XSS vulnerability via SVG file upload of users’ profile pictur
CKAN is an open-source data management system for powering data hubs and data portals. Rated medium severity (CVSS 5.3),
A user endpoint didn't perform filtering on an incoming parameter, which was added directly to the application log. Rate
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today