Protecting Against Server Side Request Forgery (SSRF) in CKAN
CVE-2024-43371

6.5MEDIUM

Key Information:

Vendor: Ckan
Status: Ckan
Vendor: CVE Published:; 21 August 2024

Summary

The CKAN data management system and its associated plugins, including XLoader, DataPusher, and Resource Proxy, allow unrestricted URL requests, creating a potential vulnerability for Server Side Request Forgery (SSRF) attacks. Attackers or unsuspecting users can craft requests to unauthorized resources by specifying malicious URLs. This issue arises because CKAN does not impose existing checks on resource URLs, enabling the possibility of accessing prohibited areas. To mitigate these risks, users are advised to implement a range of security strategies, including deploying separate HTTP proxies, creating custom firewall rules, and utilizing resource URL field validators. Recent updates to CKAN plugins include support for configurations that address the download proxy settings, enhancing security against unauthorized URL access.

Affected Version(s)

ckan < 2.10.5

References

https://github.com/ckan/ckan/security/advisories/GHSA-g9p...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 21, 2024
Vulnerability Reserved
Aug 9, 2024