CVE-2024-43371

CKAN is an open-source data management system for powering data hubs and data portals. There are a number of CKAN plugins, including XLoader, DataPusher, Resource proxy and ckanext-archiver, that work by downloading the contents of local or remote files in order to perform some actions with their contents (e.g. pushing to the DataStore, streaming contents or saving a local copy). All of them use the resource URL, and there are currently no checks to limit what URLs can be requested. This means that a malicious (or unaware) user can create a resource with a URL pointing to a place where they should not have access in order for one of the previous tools to retrieve it (known as a Server Side Request Forgery). Users wanting to protect against these kinds of attacks can use one or a combination of the following approaches: (1) Use a separate HTTP proxy like Squid that can be used to allow / disallow IPs, domains etc as needed, and make CKAN extensions aware of this setting via the ckan.download_proxy config option. (2) Implement custom firewall rules to prevent access to restricted resources. (3) Use custom validators on the resource url field to block/allow certain domains or IPs. All latest versions of the plugins listed above support the ckan.download_proxy settings. Support for this setting in the Resource Proxy plugin was included in CKAN 2.10.5 and 2.11.0.

CVSS v3 4.5 MEDIUM

4.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/ckan/ckan/security/advisories/GHSA-g9ph-j5vj-f8wm	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:okfn:ckan:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-08-21 15:15

Updated : 2024-08-23 16:20

NVD link : CVE-2024-43371

Mitre link : CVE-2024-43371

CVE.ORG link : CVE-2024-43371

JSON object : View

Products Affected

okfn

ckan

CWE

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2024-43371", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 0.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2024-08-21T15:15:09.190", "references": [{"url": "https://github.com/ckan/ckan/security/advisories/GHSA-g9ph-j5vj-f8wm", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-918"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "CKAN is an open-source data management system for powering data hubs and data portals. There are a number of CKAN plugins, including XLoader, DataPusher, Resource proxy and ckanext-archiver, that work by downloading the contents of local or remote files in order to perform some actions with their contents (e.g. pushing to the DataStore, streaming contents or saving a local copy). All of them use the resource URL, and there are currently no checks to limit what URLs can be requested. This means that a malicious (or unaware) user can create a resource with a URL pointing to a place where they should not have access in order for one of the previous tools to retrieve it (known as a Server Side Request Forgery). Users wanting to protect against these kinds of attacks can use one or a combination of the following approaches: (1) Use a separate HTTP proxy like Squid that can be used to allow / disallow IPs, domains etc as needed, and make CKAN extensions aware of this setting via the ckan.download_proxy config option. (2) Implement custom firewall rules to prevent access to restricted resources. (3) Use custom validators on the resource url field to block/allow certain domains or IPs. All latest versions of the plugins listed above support the ckan.download_proxy settings. Support for this setting in the Resource Proxy plugin was included in CKAN 2.10.5 and 2.11.0."}, {"lang": "es", "value": "CKAN es un sistema de gesti\u00f3n de datos de c\u00f3digo abierto para impulsar centros y portales de datos. Hay una serie de complementos de CKAN, incluidos XLoader, DataPusher, Resource proxy y ckanext-archiver, que funcionan descargando el contenido de archivos locales o remotos para realizar algunas acciones con sus contenidos (por ejemplo, enviar al DataStore, transmitir contenidos o guardando una copia local). Todos ellos utilizan la URL del recurso y actualmente no existen comprobaciones para limitar las URL que se pueden solicitar. Esto significa que un usuario malintencionado (o inconsciente) puede crear un recurso con una URL que apunte a un lugar al que no deber\u00eda tener acceso para que una de las herramientas anteriores lo recupere (conocido como Server Side Request Forgery). Los usuarios que deseen protegerse contra este tipo de ataques pueden usar uno o una combinaci\u00f3n de los siguientes enfoques: (1) Usar un proxy HTTP separado como Squid que se puede usar para permitir o no permitir IP, dominios, etc., seg\u00fan sea necesario, y alertar a las extensiones CKAN. de esta configuraci\u00f3n a trav\u00e9s de la opci\u00f3n de configuraci\u00f3n ckan.download_proxy. (2) Implementar reglas de firewall personalizadas para evitar el acceso a recursos restringidos. (3) Utilice validadores personalizados en el campo URL del recurso para bloquear/permitir ciertos dominios o IP. Todas las versiones m\u00e1s recientes de los complementos enumerados anteriormente admiten la configuraci\u00f3n de ckan.download_proxy. La compatibilidad con esta configuraci\u00f3n en el complemento Resource Proxy se incluy\u00f3 en CKAN 2.10.5 y 2.11.0."}], "lastModified": "2024-08-23T16:20:10.060", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:okfn:ckan:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5E427B7D-6C9B-4766-8FF7-A0DF9B5EEAE8", "versionEndExcluding": "2.10.5"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}