CKAN is vulnerable to session secret shared across instances using Docker images
CVE-2023-22746

8.6HIGH

Key Information:

Vendor: Ckan
Status: Ckan
Vendor: CVE Published:; 3 February 2023

What is CVE-2023-22746?

CKAN, an open-source data management system, has a vulnerability in its Docker images where the default secret key is shared across multiple instances. If users do not define a custom secret key in their .env file, it could lead to authentication forgery, allowing attackers to craft fraudulent requests. This issue primarily affects the newer Docker images while the legacy images remain unaffected. Users are advised to configure their .env files appropriately to mitigate this risk.

Affected Version(s)

ckan >= 2.9.0, < 2.9.7 < 2.9.0, 2.9.7

ckan < 2.8.12 < 2.8.12

References

https://github.com/ckan/ckan/security/advisories/GHSA-pr8...

x_refsource_CONFIRM

https://github.com/ckan/ckan/commit/44af0f0a148fcc0e0fbcf...

x_refsource_MISC

https://github.com/ckan/ckan/commit/4c22c135fa486afa13855...

x_refsource_MISC

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 3, 2023
Vulnerability Reserved
Jan 6, 2023

Ckan

What is CVE-2023-22746?

Affected Version(s)

References

CVSS V3.1

Timeline