CVEFinder.io

CVE-2024-43371

🔶 medium
🔍 Scan for this CVE
Summary

CKAN is an open-source data management system for powering data hubs and data portals. There are a number of CKAN plugins, including XLoader, DataPusher, Resource proxy and ckanext-archiver, that work by downloading the contents of local or remote files in order to perform some actions with their contents (e.g. pushing to the DataStore, streaming contents or saving a local copy). All of them use the resource URL, and there are currently no checks to limit what URLs can be requested. This means t

Description

CKAN is an open-source data management system for powering data hubs and data portals. There are a number of CKAN plugins, including XLoader, DataPusher, Resource proxy and ckanext-archiver, that work by downloading the contents of local or remote files in order to perform some actions with their contents (e.g. pushing to the DataStore, streaming contents or saving a local copy). All of them use the resource URL, and there are currently no checks to limit what URLs can be requested. This means that a malicious (or unaware) user can create a resource with a URL pointing to a place where they should not have access in order for one of the previous tools to retrieve it (known as a Server Side Request Forgery). Users wanting to protect against these kinds of attacks can use one or a combination of the following approaches: (1) Use a separate HTTP proxy like Squid that can be used to allow / disallow IPs, domains etc as needed, and make CKAN extensions aware of this setting via the ckan.download_proxy config option. (2) Implement custom firewall rules to prevent access to restricted resources. (3) Use custom validators on the resource url field to block/allow certain domains or IPs. All latest versions of the plugins listed above support the ckan.download_proxy settings. Support for this setting in the Resource Proxy plugin was included in CKAN 2.10.5 and 2.11.0.

CVSS Score
4.5
Medium
EPSS Score
0.3
Exploit Probability
Published Date
2024-08-21
First Seen: 2026-01-05
📊 Relative Risk Intelligence

This CVE is Lower Risk - more severe than 12.3% of all 328,009 vulnerabilities in our database.

#287,733
Below average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: Aug 22, 2024
🔍 Exploitation Status
None
No known exploits
⚙️ Automatable
NO
Requires human interaction
💥 Technical Impact
Partial
Limited system impact
SSVC data provided by CISA
Last Modified 2024-08-23
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
CWE IDs (Weakness Types)
CWE-918

📦 Affected Products 1

Vendor Product Status Affected Versions
okfn ckan Affected
< 2.10.5

🔗 References 1

https://github.com/ckan/ckan/security/advisories/GHS...
Vendor Advisory

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-41132 ⚠️ high 7.4 0.0 CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.10 and 2.11.5... 2026-05-13
CVE-2026-41255 🔶 medium 6.1 0.0 CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.10 and 2.11.5... 2026-05-13
CVE-2026-42031 ⛔ critical 9.8 9.1 CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.10 and 2.11.5... 2026-05-13
CVE-2026-42032 ⛔ critical 9.1 0.0 CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.10 and 2.11.5... 2026-05-13
CVE-2024-41674 🔶 medium 5.3 0.5 CKAN is an open-source data management system for powering data hubs and data portals. If there were connection issues w... 2024-08-21
CVE-2024-41675 🔶 medium 6.8 1.1 CKAN is an open-source data management system for powering data hubs and data portals. The Datatables view plugin did no... 2024-08-21
These CVEs affect the same products