CVE-2022-43685

Root

Cause CVE-2022-43685 is a critical authentication bypass vulnerability in CKAN through version 2.9.6. The flaw allows an unauthenticated attacker to take over any existing account, including superuser accounts, simply by sending the target user's ID in an HTTP POST request [1]. The official description confirms that account takeovers can be performed by unauthenticated users [1].

Attack

Vector An attacker does not need to be logged in or possess any prior knowledge beyond a valid user ID. By submitting a crafted HTTP POST request containing that user ID, they can assume control of the corresponding account [1]. The vulnerability is trivially exploitable over the network without any special privileges or user interaction. CKAN is a widely deployed open-source data management system used by numerous government and enterprise organizations [2][4], making the attack surface significant.

Impact

Successful exploitation gives the attacker full access to the compromised account, including any associated datasets, administrative functions, and superuser capabilities [1]. The impact is severe because CKAN powers many official data portals (e.g., data.gov, open.canada.ca, data.humdata.org) [2][4]; a superuser takeover could lead to a complete compromise of the data portal.

Mitigation

The vulnerability affects CKAN through version 2.9.6. Users should upgrade to a patched version as soon as possible. The linked PyPA advisory (PYSEC-2022-42987) confirms the vulnerability and its remediation [3]. Organizations running affected CKAN instances are strongly advised to apply security updates immediately.