PT-2023-23970 · Ckan · Ckan
Published
2023-05-30
·
Updated
2023-06-06
·
CVE-2023-32696
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
CKAN versions prior to 2.9.9
CKAN versions prior to 2.10.1
Description
CKAN is an open-source data management system for powering data hubs and data portals. Prior to versions 2.9.9 and 2.10.1, the
ckan user, equivalent to www-data, owned code and configuration files in the docker container and had permissions to use sudo. These issues allowed for code execution or privilege escalation if an arbitrary file write bug was available.Recommendations
For versions prior to 2.9.9, update to version 2.9.9 or later.
For versions prior to 2.10.1, update to version 2.10.1 or later.
Exploit
Fix
Improper Privilege Management
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ckan