CVE-2023-32321

Name of the Vulnerable Software and Affected Versions CKAN versions prior to 2.9.9 CKAN versions prior to 2.10.1

Description CKAN is an open-source data management system for powering data hubs and data portals. Multiple vulnerabilities have been discovered in CKAN which may lead to remote code execution. An arbitrary file write in resource create and package update actions, using the ResourceUploader object, is possible. This vulnerability is also reachable via package create, package revise, and package patch via calls to package update. Remote code execution via unsafe pickle loading, via Beaker's session store when configured to use the file session store backend, is another issue. Potential DOS due to lack of a length check on the resource id is also a concern. Information disclosure and resource overwrite are possible if a user with permission to create a resource knows the id of another resource. A user with permissions to create or edit a dataset can upload a resource with a specially crafted id to write the uploaded file in an arbitrary location, leading to remote code execution via Beaker's insecure pickle loading.

Recommendations For CKAN versions prior to 2.9.9, upgrade to CKAN 2.9.9 or later. For CKAN versions prior to 2.10.1, upgrade to CKAN 2.10.1 or later. As a temporary workaround, consider disabling the resource create and package update actions until a patch is available. Restrict access to the ResourceUploader object to minimize the risk of exploitation. Avoid using the package create, package revise, and package patch actions via calls to package update until the issue is resolved. Consider configuring Beaker's session store to use a different backend than the file session store to mitigate the risk of remote code execution via unsafe pickle loading.