PT-2025-45654 — Session Fixation in Pypi Ckan

PT-2025-45654 · Pypi · Ckan

Published

2025-10-29

Updated

2025-10-29

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

Impact

Session ids could be fixed by an attacker if the site is configured with server-side session storage (CKAN uses cookie-based session storage by default). The attacker would need to either set a cookie on the victim's browser or steal the victim's currently valid session. Session identifiers are now regenerated after each login.

Patches

This vulnerability has been fixed in CKAN 2.10.9 and 2.11.4

References

[https://en.wikipedia.org/wiki/Session fixation](https://en.wikipedia.org/wiki/Session fixation)

Fix

Session Fixation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-384

Related Identifiers

GHSA-2HVH-CW5C-8Q8Q

Affected Products

Ckan