Thorge

**Name of the Vulnerable Software and Affected Versions** CKAN versions 2.0.0 through 2.9.9 CKAN versions 2.10.0 through 2.10.2 **Description** CKAN is an open-source data management system for powering data hubs and data portals. When submitting a POST request to the "/dataset/new" endpoint (including either the auth cookie or the `Authorization` header) with a specially-crafted field, an attacker can create an out-of-memory error in the hosting server. To trigger this error, the attacker needs to have permissions to create or edit datasets. **Recommendations** For CKAN versions 2.0.0 through 2.9.9, update to version 2.9.10 or later. For CKAN versions 2.10.0 through 2.10.2, update to version 2.10.3 or later. As a temporary workaround, consider restricting access to the "/dataset/new" endpoint for users with permissions to create or edit datasets until a patch is applied.