PT-2024-21647 · Ckan · Ckan

Zuhairorzaki

Published

2024-03-13

Updated

2024-03-14

CVE-2024-27097

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions CKAN versions prior to 2.9.11 CKAN versions prior to 2.10.4

Description A user endpoint didn't perform filtering on an incoming parameter, which was added directly to the application log. This could lead to an attacker injecting false log entries or corrupt the log file format. The issue is related to the /user/reset endpoint and the id parameter.

Recommendations For CKAN versions prior to 2.9.11, upgrade to version 2.9.11 or later. For CKAN versions prior to 2.10.4, upgrade to version 2.10.4 or later. As a temporary workaround for users unable to upgrade, override the "/user/reset" endpoint to filter the id parameter in order to exclude newlines.

Exploit

Fix

Insertion into Log File

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-532CWE-117

Related Identifiers

CVE-2024-27097

GHSA-8G38-3M6V-232J

Affected Products

Ckan

PT-2024-21647 · Ckan · Ckan

CVE-2024-27097

Weakness Enumeration

Related Identifiers

Affected Products

References · 11