Moderate severityNVD Advisory· Published Mar 13, 2024· Updated Aug 21, 2024
Potential log injection in reset user endpoint in ckan
CVE-2024-27097
Description
A user endpoint didn't perform filtering on an incoming parameter, which was added directly to the application log. This could lead to an attacker injecting false log entries or corrupt the log file format. This has been fixed in the CKAN versions 2.9.11 and 2.10.4. Users are advised to upgrade. Users unable to upgrade should override the /user/reset endpoint to filter the id parameter in order to exclude newlines.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ckanPyPI | < 2.9.11 | 2.9.11 |
ckanPyPI | >= 2.10.0, < 2.10.4 | 2.10.4 |
Affected products
2Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-8g38-3m6v-232jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-27097ghsaADVISORY
- docs.ckan.org/en/2.10/changelog.htmlghsaWEB
- github.com/ckan/ckan/commit/5fa133e7e9019573066455b5d442e93c62b3fc93ghsaWEB
- github.com/ckan/ckan/commit/81b56c55e5e3651d7fcf9642cd5a489a9b62212cghsax_refsource_MISCWEB
- github.com/ckan/ckan/commit/d81f411bff2da7347c343a83e17f5814475b5b64ghsaWEB
- github.com/ckan/ckan/security/advisories/GHSA-8g38-3m6v-232jghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.