CVE-2025-64100

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-64100

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64100.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-64100

Aliases

GHSA-2hvh-cw5c-8q8q

Published

2025-10-29T17:54:51.997Z

Modified

2026-04-02T12:59:21.519399Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N CVSS Calculator

Summary

CKAN Vulnerable to Session Cookie Fixation

Details

CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.9 and 2.11.4, session ids could be fixed by an attacker if the site is configured with server-side session storage (CKAN uses cookie-based session storage by default). The attacker would need to either set a cookie on the victim's browser or steal the victim's currently valid session. Session identifiers are now regenerated after each login. This vulnerability has been fixed in CKAN 2.10.9 and 2.11.4

Database specific

{
    "cwe_ids": [
        "CWE-384"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/64xxx/CVE-2025-64100.json"
}

References

Affected packages

Git / github.com/ckan/ckan

Affected ranges

Type

GIT

Repo

https://github.com/ckan/ckan

Events

Introduced

Fixed

466f516528a736b60ed3ca60f5574a00c0522709

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.10.9"
        }
    ]
}

Type

GIT

Repo

https://github.com/ckan/ckan

Events

Introduced

710dfff718859ff284f0e9feee70c1ecfc86677a

Fixed

882f16b6de851e30345bfd06417512e79f890941

Database specific

{
    "versions": [
        {
            "introduced": "2.11.0"
        },
        {
            "fixed": "2.11.4"
        }
    ]
}

Affected versions

ckan-1.*

ckan-1.3.3b

ckan-1.4

ckan-1.4.1

ckan-1.4.2

ckan-1.4.3

ckan-1.5

ckan-1.5.1

ckan-1.6

ckan-1.7

ckan-1.7.1

ckan-1.7.2

ckan-1.7.3

ckan-1.7.4

ckan-1.8

ckan-1.8.1

ckan-1.8.2

ckan-2.*

ckan-2.0

ckan-2.0.1

ckan-2.0.2

ckan-2.0.3

ckan-2.0.4

ckan-2.0.5

ckan-2.0.6

ckan-2.0.7

ckan-2.0.8

ckan-2.1

ckan-2.1.1

ckan-2.1.2

ckan-2.1.3

ckan-2.1.4

ckan-2.1.5

ckan-2.1.6

ckan-2.10.0

ckan-2.10.1

ckan-2.10.2

ckan-2.10.3

ckan-2.10.4

ckan-2.10.5

ckan-2.10.6

ckan-2.10.7

ckan-2.10.8

ckan-2.11.0

ckan-2.11.1

ckan-2.11.2

ckan-2.11.3

ckan-2.11.4

ckan-2.2

ckan-2.2.1

ckan-2.2.2

ckan-2.2.3

ckan-2.2.4

ckan-2.3

ckan-2.3.1

ckan-2.3.2

ckan-2.3.3

ckan-2.3.4

ckan-2.3.5

ckan-2.4.0

ckan-2.4.1

ckan-2.4.2

ckan-2.4.3

ckan-2.4.4

ckan-2.4.5

ckan-2.4.6

ckan-2.4.7

ckan-2.4.8

ckan-2.4.9

ckan-2.5.0

ckan-2.5.1

ckan-2.5.2

ckan-2.5.3

ckan-2.5.4

ckan-2.5.5

ckan-2.5.6

ckan-2.5.7

ckan-2.5.8

ckan-2.5.9

ckan-2.6.0

ckan-2.6.1

ckan-2.6.2

ckan-2.6.3

ckan-2.6.4

ckan-2.6.5

ckan-2.6.6

ckan-2.6.7

ckan-2.6.8

ckan-2.6.9

ckan-2.7.0

ckan-2.7.1

ckan-2.7.10

ckan-2.7.11

ckan-2.7.12

ckan-2.7.2

ckan-2.7.3

ckan-2.7.4

ckan-2.7.5

ckan-2.7.6

ckan-2.7.7

ckan-2.7.8

ckan-2.7.9

ckan-2.8.0

ckan-2.8.1

ckan-2.8.10

ckan-2.8.11

ckan-2.8.12

ckan-2.8.2

ckan-2.8.3

ckan-2.8.4

ckan-2.8.5

ckan-2.8.6

ckan-2.8.7

ckan-2.8.8

ckan-2.8.9

ckan-2.9.0

ckan-2.9.1

ckan-2.9.10

ckan-2.9.11

ckan-2.9.2

ckan-2.9.3

ckan-2.9.4

ckan-2.9.5

ckan-2.9.6

ckan-2.9.7

ckan-2.9.8

ckan-2.9.9

Other

datagov-pre-idatasetform-changes

demo-0.*

demo-0.1

demo-0.2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64100.json"