← voltar
CVE-2023-32696

Excessive permissions for ckan user

CVSS 8.8 HIGHEPSS 0.8%CWE-269
Vexday Risk Score
21Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 8.8EPSS 0.8%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
30 mai 2023Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
CKAN is an open-source data management system for powering data hubs and data portals. Prior to versions 2.9.9 and 2.10.1, the `ckan` user (equivalent to www-data) owned code and configuration files in the docker container and the `ckan` user had the permissions to use sudo. These issues allowed for code execution or privilege escalation if an arbitrary file write bug was available. Versions 2.9.9, 2.9.9-dev, 2.10.1, and 2.10.1-dev contain a patch.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Produtos afetados
ckan · ckan-docker-base

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://github.com/ckan/ckan-docker-base/commit/5483c46ce9b518a4e1b626ef7032cce2c1d75c7dhttps://github.com/ckan/ckan-docker-base/security/advisories/GHSA-c74x-xfvr-x5wg