CVE-2023-50248: Improper Handling of Length Parameter Inconsistency

December 13, 2023 (updated December 18, 2023)

CKAN is an open-source data management system for powering data hubs and data portals. Starting in version 2.0.0 and prior to versions 2.9.10 and 2.10.3, when submitting a POST request to the /dataset/new endpoint (including either the auth cookie or the Authorization header) with a specially-crafted field, an attacker can create an out-of-memory error in the hosting server. To trigger this error, the attacker need to have permissions to create or edit datasets. This vulnerability has been patched in CKAN 2.10.3 and 2.9.10.

References

github.com/advisories/GHSA-7fgc-89cx-w8j5
github.com/ckan/ckan/commit/bd02018b65c5b81d7ede195d00d0fcbac3aa33be
github.com/ckan/ckan/security/advisories/GHSA-7fgc-89cx-w8j5
nvd.nist.gov/vuln/detail/CVE-2023-50248

Detect and mitigate CVE-2023-50248 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →