CVE-2023-32321

描述

Specific vulnerabilities: * Arbitrary file write in `resource_create` and `package_update` actions, using the `ResourceUploader` object. Also reachable via `package_create`, `package_revise`, and `package_patch` via calls to `package_update`. * Remote code execution via unsafe pickle loading, via Beaker's session store when configured to use the file session store backend. * Potential DOS due to lack of a length check on the resource id. * Information disclosure: A user with permission to create a resource can access any other resource on the system if they know the id, even if they don't have access to it. * Resource overwrite: A user with permission to create a resource can overwrite any resource if they know the id, even if they don't have access to it. ### Impact A user with permissions to create or edit a dataset can upload a resource with a specially crafted id to write the uploaded file in an arbitrary location. This can be leveraged to Remote Code Execution via Beaker's insecure pickle loading. ### Patches All the above listed vulnerabilities have been fixed in CKAN 2.9.9 and CKAN 2.10.1 The patches for CKAN 2.9 should apply easily to previous CKAN versions.

受影響套件(1)

• PyPI/ckanfrom 0, < 2.9.9

CVSS 分數

參考連結(4)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-32321
• PATCHhttps://github.com/ckan/ckan
• WEBhttps://github.com/ckan/ckan/blob/2a6080e61d5601fa0e2a0317afd6a8e9b7abf6dd/CHANGELOG.rst
• WEBhttps://github.com/ckan/ckan/security/advisories/GHSA-446m-hmmm-hm8m