cvedb.io
CVE-2023-32321
CRITICAL · CVSS 9.8
EPSS exploitation probability: 0%
Published 2023-05-26T23:15:18.010 · Last modified 2026-06-17T05:58:34.020

Summary

CKAN is an open-source data management system for powering data hubs and data portals. Multiple vulnerabilities have been discovered in Ckan which may lead to remote code execution. An arbitrary file write in `resource_create` and `package_update` actions, using the `ResourceUploader` object. Also reachable via `package_create`, `package_revise`, and `package_patch` via calls to `package_update`. Remote code execution via unsafe pickle loading, via Beaker's session store when configured to use the file session store backend. Potential DOS due to lack of a length check on the resource id. Information disclosure: A user with permission to create a resource can access any other resource on the system if they know the id, even if they don't have access to it. Resource overwrite: A user with p

Affected products

okfn — ckan

Does this affect you?

Add your gear to cvedb and we'll alert you only when okfn ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.