CVE-2024-43371: Potential access to sensitive URLs via CKAN extensions (SSRF)

August 21, 2024

There are a number of CKAN plugins, including XLoader, DataPusher, Resource proxy and ckanext-archiver, that work by downloading the contents of local or remote files in order to perform some actions with their contents (e.g. pushing to the DataStore, streaming contents or saving a local copy). All of them use the resource URL, and there are currently no checks to limit what URLs can be requested. This means that a malicious (or unaware) user can create a resource with a URL pointing to a place where they should not have access in order for one of the previous tools to retrieve it (known as a Server Side Request Forgery).

References

github.com/advisories/GHSA-g9ph-j5vj-f8wm
github.com/ckan/ckan
github.com/ckan/ckan/commit/382beaec98cb331f2a030459ef043c50eaf5ad53
github.com/ckan/ckan/commit/8601183cc2fc87277ea5b33ff75c3a5610812ab5
github.com/ckan/ckan/security/advisories/GHSA-g9ph-j5vj-f8wm
nvd.nist.gov/vuln/detail/CVE-2024-43371

Detect and mitigate CVE-2024-43371 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →