CVE-2022-43685

Name of the Vulnerable Software and Affected Versions CKAN versions 2.9.6 and earlier

Description The issue allows unauthenticated users to take over existing accounts, including superuser accounts, by sending an existing user id via an HTTP POST request. This enables an attacker to gain control of an existing account.

Recommendations For CKAN versions 2.9.6 and earlier, as a temporary workaround, consider restricting access to the user account management functionality until a patch is available. Avoid using the user id variable in affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.