PYSEC-2026-312
Ckan remote code execution and private information access via crafted resource ids
상세
Specific vulnerabilities:
* Arbitrary file write in `resource_create` and `package_update` actions, using the `ResourceUploader` object. Also reachable via `package_create`, `package_revise`, and `package_patch` via calls to `package_update`. * Remote code execution via unsafe pickle loading, via Beaker's session store when configured to use the file session store backend. * Potential DOS due to lack of a length check on the resource id. * Information disclosure: A user with permission to create a resource can access any other resource on the system if they know the id, even if they don't have access to it. * Resource overwrite: A user with permission to create a resource can overwrite any resource if they know the id, even if they don't have access to it.
### Impact
A user with permissions to create or edit a dataset can upload a resource with a specially crafted id to write the uploaded file in an arbitrary location. This can be leveraged to Remote Code Execution via Beaker's insecure pickle loading.
### Patches
All the above listed vulnerabilities have been fixed in CKAN 2.9.9 and CKAN 2.10.1 The patches for CKAN 2.9 should apply easily to previous CKAN versions.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
No fixed version published yet for ckan (pip). Pin to a known-safe version or switch to an alternative.
참고
- https://github.com/ckan/ckan/security/advisories/GHSA-446m-hmmm-hm8m [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2023-32321 [ADVISORY]
- https://github.com/ckan/ckan [PACKAGE]
- https://github.com/ckan/ckan/blob/2a6080e61d5601fa0e2a0317afd6a8e9b7abf6dd/CHANGELOG.rst [WEB]
- https://pypi.org/project/ckan [PACKAGE]
- https://github.com/advisories/GHSA-446m-hmmm-hm8m [ADVISORY]