Reproduction steps for Arbitrary file write in resource_create and package_update actions, using the ResourceUploader object
Vulnerability.
#7689
Closed
Gauravp-NEC
started this conversation in
General
Replies: 1 comment
-
@Gauravp-NEC Please to discuss security related issues use the security@ckan.org email address. The two scenarios you describe are perfectly valid and the expected behaviour. A user authorized to create a dataset on Org 1 will be able to create resources in that dataset (A URL-based resource in the first case and an empty resource in the second case) The vulnerability linked has been fixed in the CKAN versions listed in the advisory. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
@amercader @YoloClin, With reference to CVE-2023-32321
I tried to confirm the below sub vulnerability on CKAN v2.9.9:
Arbitrary file write in
resource_create
andpackage_update
actions, using theResourceUploader
object. Also reachable viapackage_create
,package_revise
, andpackage_patch
via calls topackage_update
.I have performed the below operations to verify the above mention sub vulnerability:
Test_resource
and enter a dummy resource link (https://example.com/data.csv) in URL as shown below:Current Result: Resource file `data.csv' is created.
Expected Result: Resource file 'data.csv' should not be created as the vulnerability has been fixed in v2.9.9 or 2.10.1.
Test_resource
dataset, add a new resource by only enteringtest.csv
in theNames:
field as shown below:Current Result: Resource file `test.csv' is created.
Expected Result: Resource file 'test.csv' should not be created as the vulnerability has been fixed in v2.9.9 or 2.10.1.
Can you please explain the reproduction steps regarding the sub vulnerability (Arbitrary file write in resource_create and package_update actions, using the ResourceUploader object. Also reachable via package_create, package_revise, and package_patch via calls to package_update.)?. Thanks
Beta Was this translation helpful? Give feedback.
All reactions