CVE-2023-22746

Name of the Vulnerable Software and Affected Versions CKAN versions (affected versions not specified)

Description The issue concerns CKAN, an open-source data management system, where a default secret key is used across different instances when creating new containers based on specific Docker images. This allows for easy forgery of authentication requests if users do not set a custom secret key via environment variables in the .env file. The affected images include ckan/ckan-docker, ckan/ckan-base, okfn/docker-ckan, openknowledge/ckan-base, openknowledge/ckan-dev, keitaroinc/docker-ckan, and keitaro/ckan images.

Recommendations For all affected versions, set a custom secret key via environment variables in the .env file to prevent the use of the default shared secret key. As a temporary workaround, consider overriding the default secret key in your own .env file until a more permanent solution is implemented. Restrict access to authentication endpoints to minimize the risk of exploitation.