Ckan · Ckan · CVE-2023-32321
**Name of the Vulnerable Software and Affected Versions**
CKAN versions prior to 2.9.9
CKAN versions prior to 2.10.1
**Description**
CKAN is an open-source data management system for powering data hubs and data portals. Multiple vulnerabilities have been discovered in CKAN which may lead to remote code execution. An arbitrary file write in `resource create` and `package update` actions, using the `ResourceUploader` object, is possible. This vulnerability is also reachable via `package create`, `package revise`, and `package patch` via calls to `package update`. Remote code execution via unsafe pickle loading, via Beaker's session store when configured to use the file session store backend, is another issue. Potential DOS due to lack of a length check on the resource id is also a concern. Information disclosure and resource overwrite are possible if a user with permission to create a resource knows the id of another resource. A user with permissions to create or edit a dataset can upload a resource with a specially crafted id to write the uploaded file in an arbitrary location, leading to remote code execution via Beaker's insecure pickle loading.
**Recommendations**
For CKAN versions prior to 2.9.9, upgrade to CKAN 2.9.9 or later.
For CKAN versions prior to 2.10.1, upgrade to CKAN 2.10.1 or later.
As a temporary workaround, consider disabling the `resource create` and `package update` actions until a patch is available.
Restrict access to the `ResourceUploader` object to minimize the risk of exploitation.
Avoid using the `package create`, `package revise`, and `package patch` actions via calls to `package update` until the issue is resolved.
Consider configuring Beaker's session store to use a different backend than the file session store to mitigate the risk of remote code execution via unsafe pickle loading.