CVE-2024-41674

CKAN is an open-source data management system for powering data hubs and data portals. If there were connection issues with the Solr server, the internal Solr URL (potentially including credentials) could be leaked to package_search calls as part of the returned error message. This has been patched in CKAN 2.10.5 and 2.11.0.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/ckan/ckan/commit/f6b032cd7082d784938165bbd113557639002ca7	Patch
https://github.com/ckan/ckan/security/advisories/GHSA-2rqw-cfhc-35fh	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:okfn:ckan:*:*:*:*:*:*:*:*

History

23 Aug 2024, 17:06

Type	Values Removed	Values Added
First Time		Okfn Okfn ckan
References	~~() https://github.com/ckan/ckan/commit/f6b032cd7082d784938165bbd113557639002ca7 -~~	() https://github.com/ckan/ckan/commit/f6b032cd7082d784938165bbd113557639002ca7 - Patch
References	~~() https://github.com/ckan/ckan/security/advisories/GHSA-2rqw-cfhc-35fh -~~	() https://github.com/ckan/ckan/security/advisories/GHSA-2rqw-cfhc-35fh - Vendor Advisory
Summary		(es) CKAN es un sistema de gestión de datos de código abierto para impulsar centros y portales de datos. Si hubo problemas de conexión con el servidor Solr, la URL interna de Solr (que potencialmente incluye las credenciales) podría filtrarse a llamadas package_search como parte del mensaje de error devuelto. Esto ha sido parcheado en CKAN 2.10.5 y 2.11.0.
CPE		cpe:2.3:a:okfn:ckan::::::::

21 Aug 2024, 16:06

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-08-21 15:15

Updated : 2024-08-23 17:06

NVD link : CVE-2024-41674

Mitre link : CVE-2024-41674

CVE.ORG link : CVE-2024-41674

JSON object : View

Products Affected

okfn

ckan

CWE

CWE-209

Generation of Error Message Containing Sensitive Information

{"id": "CVE-2024-41674", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2024-08-21T15:15:08.770", "references": [{"url": "https://github.com/ckan/ckan/commit/f6b032cd7082d784938165bbd113557639002ca7", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/ckan/ckan/security/advisories/GHSA-2rqw-cfhc-35fh", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-209"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-209"}]}], "descriptions": [{"lang": "en", "value": "CKAN is an open-source data management system for powering data hubs and data portals. If there were connection issues with the Solr server, the internal Solr URL (potentially including credentials) could be leaked to package_search calls as part of the returned error message. This has been patched in CKAN 2.10.5 and 2.11.0."}, {"lang": "es", "value": "CKAN es un sistema de gesti\u00f3n de datos de c\u00f3digo abierto para impulsar centros y portales de datos. Si hubo problemas de conexi\u00f3n con el servidor Solr, la URL interna de Solr (que potencialmente incluye las credenciales) podr\u00eda filtrarse a llamadas package_search como parte del mensaje de error devuelto. Esto ha sido parcheado en CKAN 2.10.5 y 2.11.0."}], "lastModified": "2024-08-23T17:06:58.063", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:okfn:ckan:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E92554C7-B668-4F24-9781-5E5F2A284989", "versionEndExcluding": "2.10.5", "versionStartIncluding": "2.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}