{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/ckan/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["ckan"],"_cs_severities":["high"],"_cs_tags":["ckan","sql-injection","vulnerability"],"_cs_type":"advisory","_cs_vendors":["pip"],"content_html":"\u003cp\u003eA critical SQL injection vulnerability exists within the \u003ccode\u003edatastore_search_sql\u003c/code\u003e function of CKAN, an open-source data management system. This vulnerability allows unauthenticated attackers to inject arbitrary SQL queries, potentially leading to unauthorized access to sensitive data, including private resources and PostgreSQL system information. The vulnerability affects CKAN versions prior to 2.10.10 and versions 2.11.0 up to and including 2.11.4.  Successful exploitation can compromise the confidentiality and integrity of the CKAN instance and its underlying database. The issue was reported by Arvin Shivram of Brutecat Security and patched in CKAN versions 2.10.10 and 2.11.5.  Organizations using vulnerable versions of CKAN are at risk of data breaches and unauthorized access to critical system information.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a CKAN instance running a vulnerable version (prior to 2.10.10 or 2.11.0-2.11.4).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003edatastore_search_sql\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe malicious request contains a SQL injection payload within the parameters expected by \u003ccode\u003edatastore_search_sql\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eCKAN\u0026rsquo;s \u003ccode\u003edatastore_search_sql\u003c/code\u003e function fails to properly sanitize the input, allowing the injected SQL code to be executed against the PostgreSQL database.\u003c/li\u003e\n\u003cli\u003eThe injected SQL query retrieves sensitive data, such as private resource information, user credentials, or PostgreSQL system details.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts the compromised data from the HTTP response.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the compromised credentials to gain further access to the CKAN instance and its associated systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability can lead to unauthorized access to sensitive data stored within the CKAN DataStore, including private resources and user credentials. Attackers can also gain access to PostgreSQL system information, potentially leading to further system compromise. The number of affected organizations is unknown, but any organization running a vulnerable version of CKAN is at risk. If successful, the attack can lead to data breaches, financial losses, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade CKAN instances to version 2.10.10 or 2.11.5 to remediate CVE-2026-42031.\u003c/li\u003e\n\u003cli\u003eAs a temporary workaround, disable the DataStore SQL search by setting \u003ccode\u003eckan.datastore.sqlsearch.enabled = false\u003c/code\u003e in the CKAN configuration, as mentioned in the overview.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests targeting the \u003ccode\u003edatastore_search_sql\u003c/code\u003e endpoint, looking for SQL syntax within the query parameters using the Sigma rules provided below.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-ckan-sql-injection/","summary":"An unauthenticated SQL injection vulnerability in CKAN's `datastore_search_sql` function allows attackers to access private resources and PostgreSQL system information, affecting versions prior to 2.10.10 and versions 2.11.0 through 2.11.4.","title":"CKAN Unauthenticated SQL Injection in datastore_search_sql","url":"https://feed.craftedsignal.io/briefs/2024-01-ckan-sql-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Ckan","version":"https://jsonfeed.org/version/1.1"}