CVE-2024-27097

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-27097

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-27097.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-27097

Aliases

GHSA-8g38-3m6v-232j

Published

2024-03-13T20:40:50Z

Modified

2025-11-04T20:17:28.353131Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS Calculator

Summary

Potential log injection in reset user endpoint in ckan

Details

A user endpoint didn't perform filtering on an incoming parameter, which was added directly to the application log. This could lead to an attacker injecting false log entries or corrupt the log file format. This has been fixed in the CKAN versions 2.9.11 and 2.10.4. Users are advised to upgrade. Users unable to upgrade should override the /user/reset endpoint to filter the id parameter in order to exclude newlines.

Database specific

{
    "cwe_ids": [
        "CWE-532"
    ]
}

References

Affected packages

Git / github.com/ckan/ckan

Affected ranges

Type

GIT

Repo

https://github.com/ckan/ckan

Events

Introduced

aec8130bc07ffafd191c4192cca9de735c430dd1

Fixed

f2d47c8f87bc5f224ebff93b23d0f6fda8fb81b4

Database specific

{
    "versions": [
        {
            "introduced": "2.0"
        },
        {
            "fixed": "2.9.11"
        }
    ]
}

Type

GIT

Repo

https://github.com/ckan/ckan

Events

Introduced

70bec6611003b96ec7a02abb9605afdfb0964ad9

Fixed

f03e7f7d02397b064a29a5c737fa4a72b8a30191

Database specific

{
    "versions": [
        {
            "introduced": "2.10.0"
        },
        {
            "fixed": "2.10.4"
        }
    ]
}

Affected versions

ckan-2.*

ckan-2.10.0

ckan-2.10.1

ckan-2.10.2

ckan-2.10.3