CVE-2024-43371

Name of the Vulnerable Software and Affected Versions CKAN versions prior to 2.10.5 CKAN versions prior to 2.11.0

Description CKAN is an open-source data management system for powering data hubs and data portals. There are a number of CKAN plugins, including XLoader, DataPusher, Resource proxy, and ckanext-archiver, that work by downloading the contents of local or remote files in order to perform some actions with their contents. All of them use the resource URL, and there are currently no checks to limit what URLs can be requested. This means that a malicious (or unaware) user can create a resource with a URL pointing to a place where they should not have access in order for one of the previous tools to retrieve it, known as a Server Side Request Forgery. Users wanting to protect against these kinds of attacks can use one or a combination of the following approaches: (1) Use a separate HTTP proxy like Squid that can be used to allow/disallow IPs, domains, etc., as needed, and make CKAN extensions aware of this setting via the ckan.download proxy config option. (2) Implement custom firewall rules to prevent access to restricted resources. (3) Use custom validators on the url field to block/allow certain domains or IPs.

Recommendations For CKAN versions prior to 2.10.5, use a separate HTTP proxy like Squid to allow/disallow IPs, domains, etc., as needed, and make CKAN extensions aware of this setting via the ckan.download proxy config option. For CKAN versions prior to 2.11.0, implement custom firewall rules to prevent access to restricted resources. For all affected versions, use custom validators on the url field to block/allow certain domains or IPs.