Vulnerability DatabaseCVE-2024-27097
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2024-27097
March 13, 2024
A user endpoint didn't perform filtering on an incoming parameter, which was added directly to the application log. This could lead to an attacker injecting false log entries or corrupt the log file format. This has been fixed in the CKAN versions 2.9.11 and 2.10.4. Users are advised to upgrade. Users unable to upgrade should override the `/user/reset` endpoint to filter the `id` parameter in order to exclude newlines.
Affected Packages
ckan (PYTHON):
Affected version(s) >=2.10.0 <2.10.4
Fix Suggestion:
Update to version 2.10.4
ckan (PYTHON):
Affected version(s) >=0.3 <2.9.11
Fix Suggestion:
Update to version 2.9.11
Related ResourcesĀ (7)
https://nvd.nist.gov/vuln/detail/CVE-2024-27097
https://docs.ckan.org/en/2.10/changelog.html#v-2-10-4-2024-03-13
https://github.com/ckan/ckan/commit/5fa133e7e9019573066455b5d442e93c62b3fc93
https://github.com/ckan/ckan/commit/81b56c55e5e3651d7fcf9642cd5a489a9b62212c
https://github.com/ckan/ckan
https://github.com/ckan/ckan/commit/d81f411bff2da7347c343a83e17f5814475b5b64
https://github.com/ckan/ckan/security/advisories/GHSA-8g38-3m6v-232j
Do you need more information?
Contact Us
CVSS v4
Base Score:
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
PASSIVE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
4.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
NONE
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Insertion of Sensitive Information into Log File
CWE-532
Improper Output Neutralization for Logs
CWE-117
EPSS
Base Score:
0.34