CVE-2023-32696

EPSS 0.79%
Veröffentlicht 30.05.2023 19:15:10
Zuletzt bearbeitet 21.11.2024 08:03:52
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Excessive permissions for ckan user

CKAN is an open-source data management system for powering data hubs and data portals. Prior to versions 2.9.9 and 2.10.1, the `ckan` user (equivalent to www-data) owned code and configuration files in the docker container and the `ckan` user had the permissions to use sudo. These issues allowed for code execution or privilege escalation if an arbitrary file write bug was available. Versions 2.9.9, 2.9.9-dev, 2.10.1, and 2.10.1-dev contain a patch.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

NVD 2 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Okfn ≫ Ckan Version < 2.9.9

Okfn ≫ Ckan Version2.10.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.79%	0.515

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

https://github.com/ckan/ckan-docker-base/commit/5483c46ce9b518a4e1b626ef7032cce2c1d75c7d

Patch

https://github.com/ckan/ckan-docker-base/security/advisories/GHSA-c74x-xfvr-x5wg

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-32696

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-32696

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-32696

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2023-32696