Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2023-22746

Good to know:

icon

Date: February 3, 2023

CKAN is an open-source DMS (data management system) for powering data hubs and data portals. When creating a new container based on one of the Docker images listed below, the same secret key was being used by default. If the users didn't set a custom value via environment variables in the ".env" file, that key was shared across different CKAN instances, making it easy to forge authentication requests. Users overriding the default secret key in their own ".env" file are not affected by this issue. Note that the legacy images (ckan/ckan) located in the main CKAN repo are not affected by this issue. The affected images are ckan/ckan-docker, (ckan/ckan-base images), okfn/docker-ckan (openknowledge/ckan-base and openknowledge/ckan-dev images) keitaroinc/docker-ckan (keitaro/ckan images).

Language: Python

Severity Score

Related Resources (5)

https://github.com/ckan/ckan/security/advisories/GHSA-pr8j-v4c8-h62x
https://github.com/ckan/ckan/commit/4c22c135fa486afa13855d1cdb9765eaf418d2aa
https://nvd.nist.gov/vuln/detail/CVE-2023-22746
https://github.com/ckan/ckan/commit/44af0f0a148fcc0e0fbcf02fe69b7db13459a84b
https://www.mend.io/vulnerability-database/CVE-2023-22746

Severity Score

Weakness Type (CWE)

Use of Insufficiently Random Values

CWE-330

Use of Invariant Value in Dynamically Changing Context

CWE-344

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): LOW
Availability (A): LOW

Do you need more information?

Contact Us