CVE-2024-27097

low-risk
Published 2024-03-13

A user endpoint didn't perform filtering on an incoming parameter, which was added directly to the application log. This could lead to an attacker injecting false log entries or corrupt the log file format. This has been fixed in the CKAN versions 2.9.11 and 2.10.4. Users are advised to upgrade. Users unable to upgrade should override the `/user/reset` endpoint to filter the `id` parameter in order to exclude newlines.

Do I need to act?

-
0.45% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.3/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Ckan

Affected Vendors

Okfn

References (4)

Patch https://github.com/ckan/ckan/commit/81b56c55e5e3651d7fcf9642cd5a489a9b62212c
Vendor Advisory https://github.com/ckan/ckan/security/advisories/GHSA-8g38-3m6v-232j
Patch https://github.com/ckan/ckan/commit/81b56c55e5e3651d7fcf9642cd5a489a9b62212c
Vendor Advisory https://github.com/ckan/ckan/security/advisories/GHSA-8g38-3m6v-232j
25
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 2/34 · Minimal
Exposure 5/34 · Minimal