Ckan
CVE-2024-27097
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
A user endpoint didn't perform filtering on an incoming parameter, which was added directly to the application log. This could lead to an attacker injecting false log entries or corrupt the log file format. This has been fixed in the CKAN versions 2.9.11 and 2.10.4. Users are advised to upgrade. Users unable to upgrade should override the /user/reset endpoint to filter the id parameter in order to exclude newlines.
AnalysisAI
A user endpoint didn't perform filtering on an incoming parameter, which was added directly to the application log. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Technical ContextAI
This vulnerability is classified under CWE-532. A user endpoint didn't perform filtering on an incoming parameter, which was added directly to the application log. This could lead to an attacker injecting false log entries or corrupt the log file format. This has been fixed in the CKAN versions 2.9.11 and 2.10.4. Users are advised to upgrade. Users unable to upgrade should override the /user/reset endpoint to filter the id parameter in order to exclude newlines. Affected products include: Okfn Ckan.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
CKAN is an open-source data management system for powering data hubs and data portals. Rated critical severity (CVSS 9.8
CKAN is an open-source data management system for powering data hubs and data portals. Rated high severity (CVSS 8.8), t
CKAN through 2.9.6 account takeovers by unauthenticated users when an existing user id is sent via an HTTP POST request.
CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Rated high severity (CVSS 7
CKAN is an open-source data management system for powering data hubs and data portals. Rated medium severity (CVSS 6.5),
CKAN is an open-source data management system for powering data hubs and data portals. Rated medium severity (CVSS 6.5),
CKAN is an open-source data management system for powering data hubs and data portals. Rated medium severity (CVSS 6.1),
In CKAN, versions 2.9.0 to 2.9.3 are affected by a stored XSS vulnerability via SVG file upload of users’ profile pictur
CKAN is an open-source data management system for powering data hubs and data portals. Rated medium severity (CVSS 5.3),
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today