5.3

CVE-2024-27097

EPSS 0.43%
Veröffentlicht 13.03.2024 21:15:58
Zuletzt bearbeitet 23.01.2025 21:22:17
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Potential log injection in reset user endpoint in ckan

A user endpoint didn't perform filtering on an incoming parameter, which was added directly to the application log. This could lead to an attacker injecting false log entries or corrupt the log file format. This has been fixed in the CKAN versions 2.9.11 and 2.10.4. Users are advised to upgrade. Users unable to upgrade should override the `/user/reset` endpoint to filter the `id` parameter in order to exclude newlines.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

NVD 2 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Okfn ≫ Ckan Version >= 2.0 < 2.9.11

Okfn ≫ Ckan Version >= 2.10.0 < 2.10.4

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.43%	0.345

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
security-advisories@github.com	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CWE-532 Insertion of Sensitive Information into Log File

The product writes sensitive information to a log file.

https://github.com/ckan/ckan/commit/81b56c55e5e3651d7fcf9642cd5a489a9b62212c

Patch

https://github.com/ckan/ckan/security/advisories/GHSA-8g38-3m6v-232j

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-27097

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-27097

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-27097

EUVD