VYPR
Get started
← All advisories
Moderate severityNVD Advisory· Published Aug 21, 2024· Updated Aug 22, 2024

Potential access to sensitive URLs via CKAN extensions (SSRF)

CVE-2024-43371

Description

CKAN is an open-source data management system for powering data hubs and data portals. There are a number of CKAN plugins, including XLoader, DataPusher, Resource proxy and ckanext-archiver, that work by downloading the contents of local or remote files in order to perform some actions with their contents (e.g. pushing to the DataStore, streaming contents or saving a local copy). All of them use the resource URL, and there are currently no checks to limit what URLs can be requested. This means that a malicious (or unaware) user can create a resource with a URL pointing to a place where they should not have access in order for one of the previous tools to retrieve it (known as a Server Side Request Forgery). Users wanting to protect against these kinds of attacks can use one or a combination of the following approaches: (1) Use a separate HTTP proxy like Squid that can be used to allow / disallow IPs, domains etc as needed, and make CKAN extensions aware of this setting via the ckan.download_proxy config option. (2) Implement custom firewall rules to prevent access to restricted resources. (3) Use custom validators on the resource url field to block/allow certain domains or IPs. All latest versions of the plugins listed above support the ckan.download_proxy settings. Support for this setting in the Resource Proxy plugin was included in CKAN 2.10.5 and 2.11.0.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
ckanPyPI
< 2.10.52.10.5

Affected products

1

Patches

2
382beaec98cb

Update docs with notices regarding DataPusher and scheming

https://github.com/ckan/ckanamercaderAug 20, 2024via ghsa
commit
2 files changed · +31 17
  • doc/extensions/adding-custom-fields.rst+11 4 modified
    @@ -14,15 +14,22 @@ restrict the possible values to a defined list. By using CKAN's IDatasetForm
 plugin interface, a CKAN plugin can add custom, first-class metadata fields to
 CKAN datasets, and can do custom validation of these fields.
 
+.. warning::
+
+   In most cases users should use `ckanext-scheming <https://github.com/ckan/ckanext-scheming>`_
+   rather than the low level interfaces described in this tutorial. The ckanext-scheming
+   extension allows:
+
+      * Metadata schema configuration using a YAML or JSON schema description
+      * Automatic conversion of custom fields to the internal representation used by CKAN
+      * Automatic use of relevant template snippets according to the field type for editing and display
+      * Use of may pre-configured presets for multiple choice fields, dates, repeating subfields, etc.
+
 .. seealso::
 
    In this tutorial we are assuming that you have read the
    :doc:`/extensions/tutorial`.
 
-   You may also want to check the [ckanext-scheming](https://github.com/ckan/ckanext-scheming) 
-   extension, as it will allow metadata schema configuration using a YAML or JSON 
-   schema description, replete with custom validation and template snippets for 
-   editing and display.
 
 CKAN schemas and validation
 ---------------------------
  • doc/maintaining/datastore.rst+20 13 modified
    @@ -18,10 +18,10 @@ When a resource is added to the DataStore, you get:
 The DataStore is integrated into the :doc:`CKAN API </api/index>` and
 authorization system.
 
-The DataStore is generally used alongside the
-`DataPusher <https://github.com/ckan/datapusher>`_, which will
+The DataStore is generally used alongside other tools which will
 automatically upload data to the DataStore from suitable files, whether
-uploaded to CKAN's FileStore or externally linked.
+uploaded to CKAN's FileStore or externally linked. See :ref:`automatic_uploads`
+for more details.
 
 .. contents::
    :depth: 1
@@ -192,24 +192,31 @@ You can now delete the DataStore table with::
 
 To find out more about the Data API, see `The Data API`_.
 
+.. _automatic_uploads:
 
----------------------------------------------------
-DataPusher: Automatically Add Data to the DataStore
----------------------------------------------------
+------------------------------------------
+Automatically Adding Data to the DataStore
+------------------------------------------
 
-Often, one wants data that is added to CKAN (whether it is linked to or
+In most cases, you will want data that is added to CKAN (whether it is linked to or
 uploaded to the :doc:`FileStore <filestore>`) to be automatically added to the
 DataStore. This requires some processing, to extract the data from your files
 and to add it to the DataStore in the format the DataStore can handle.
 
-This task of automatically parsing and then adding data to the DataStore is
-performed by the `DataPusher`_, a service that runs asynchronously and can be installed
-alongside CKAN.
+This task of automatically parsing and then adding data to the DataStore can be performed
+by different tools, you can choose the one the best fits your requirements:
 
-To install this please look at the docs here: https://github.com/ckan/datapusher
+* `XLoader <https://github.com/ckan/ckanext-xloader>`_ is the officially supported extension for 
+  automated uploads to the DataStore. It runs as a :doc:`background job <background-tasks>` and supports
+  type guessing and limiting the number of rows imported among other settings.
+* `DataPusher+ (DataPusher Plus) <https://github.com/dathere/datapusher-plus>`_ is a next-generation replacement for the
+  DataPusher, maintained by `datHere <https://dathere.com/>`_. It focuses on increased performance and robustness and
+  includes data pre-processing capabilities to infer fields, transform data, etc.
+* `AirCan <https://github.com/datopian/aircan>`_ is a tool built on top of Apache Airflow maintained
+  by `Datopian <https://www.datopian.com/>`_ that among other functionalities supports automated data uploads to the DataStore.
+* `DataPusher <https://github.com/ckan/datapusher>`_ is a **legacy tool** that is no longer maintained.
+  It presents significant limitations so users are encouraged to migrate to one of the tools above.
 
-.. note:: The DataPusher only imports the first worksheet of a spreadsheet. It also does
-   not support duplicate column headers. That includes blank column headings.
 
 .. _data_dictionary:
8601183cc2fc

Update docs with notices regarding DataPusher and scheming

https://github.com/ckan/ckanamercaderAug 20, 2024via ghsa
commit
2 files changed · +31 17
  • doc/extensions/adding-custom-fields.rst+11 4 modified
    @@ -14,15 +14,22 @@ restrict the possible values to a defined list. By using CKAN's IDatasetForm
 plugin interface, a CKAN plugin can add custom, first-class metadata fields to
 CKAN datasets, and can do custom validation of these fields.
 
+.. warning::
+
+   In most cases users should use `ckanext-scheming <https://github.com/ckan/ckanext-scheming>`_
+   rather than the low level interfaces described in this tutorial. The ckanext-scheming
+   extension allows:
+
+      * Metadata schema configuration using a YAML or JSON schema description
+      * Automatic conversion of custom fields to the internal representation used by CKAN
+      * Automatic use of relevant template snippets according to the field type for editing and display
+      * Use of may pre-configured presets for multiple choice fields, dates, repeating subfields, etc.
+
 .. seealso::
 
    In this tutorial we are assuming that you have read the
    :doc:`/extensions/tutorial`.
 
-   You may also want to check the [ckanext-scheming](https://github.com/ckan/ckanext-scheming) 
-   extension, as it will allow metadata schema configuration using a YAML or JSON 
-   schema description, replete with custom validation and template snippets for 
-   editing and display.
 
 CKAN schemas and validation
 ---------------------------
  • doc/maintaining/datastore.rst+20 13 modified
    @@ -18,10 +18,10 @@ When a resource is added to the DataStore, you get:
 The DataStore is integrated into the :doc:`CKAN API </api/index>` and
 authorization system.
 
-The DataStore is generally used alongside the
-`DataPusher <https://github.com/ckan/datapusher>`_, which will
+The DataStore is generally used alongside other tools which will
 automatically upload data to the DataStore from suitable files, whether
-uploaded to CKAN's FileStore or externally linked.
+uploaded to CKAN's FileStore or externally linked. See :ref:`automatic_uploads`
+for more details.
 
 .. contents::
    :depth: 1
@@ -194,24 +194,31 @@ You can now delete the DataStore table with::
 
 To find out more about the Data API, see `The Data API`_.
 
+.. _automatic_uploads:
 
----------------------------------------------------
-DataPusher: Automatically Add Data to the DataStore
----------------------------------------------------
+------------------------------------------
+Automatically Adding Data to the DataStore
+------------------------------------------
 
-Often, one wants data that is added to CKAN (whether it is linked to or
+In most cases, you will want data that is added to CKAN (whether it is linked to or
 uploaded to the :doc:`FileStore <filestore>`) to be automatically added to the
 DataStore. This requires some processing, to extract the data from your files
 and to add it to the DataStore in the format the DataStore can handle.
 
-This task of automatically parsing and then adding data to the DataStore is
-performed by the `DataPusher`_, a service that runs asynchronously and can be installed
-alongside CKAN.
+This task of automatically parsing and then adding data to the DataStore can be performed
+by different tools, you can choose the one the best fits your requirements:
 
-To install this please look at the docs here: https://github.com/ckan/datapusher
+* `XLoader <https://github.com/ckan/ckanext-xloader>`_ is the officially supported extension for 
+  automated uploads to the DataStore. It runs as a :doc:`background job <background-tasks>` and supports
+  type guessing and limiting the number of rows imported among other settings.
+* `DataPusher+ (DataPusher Plus) <https://github.com/dathere/datapusher-plus>`_ is a next-generation replacement for the
+  DataPusher, maintained by `datHere <https://dathere.com/>`_. It focuses on increased performance and robustness and
+  includes data pre-processing capabilities to infer fields, transform data, etc.
+* `AirCan <https://github.com/datopian/aircan>`_ is a tool built on top of Apache Airflow maintained
+  by `Datopian <https://www.datopian.com/>`_ that among other functionalities supports automated data uploads to the DataStore.
+* `DataPusher <https://github.com/ckan/datapusher>`_ is a **legacy tool** that is no longer maintained.
+  It presents significant limitations so users are encouraged to migrate to one of the tools above.
 
-.. note:: The DataPusher only imports the first worksheet of a spreadsheet. It also does
-   not support duplicate column headers. That includes blank column headings.
 
 .. _data_dictionary:

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.