CVE-2023-32696
HIGHCKAN < 2.9.9 and < 2.10.1 - Privilege Escalation via Sudo Access
Title source: llmDescription
CKAN is an open-source data management system for powering data hubs and data portals. Prior to versions 2.9.9 and 2.10.1, the `ckan` user (equivalent to www-data) owned code and configuration files in the docker container and the `ckan` user had the permissions to use sudo. These issues allowed for code execution or privilege escalation if an arbitrary file write bug was available. Versions 2.9.9, 2.9.9-dev, 2.10.1, and 2.10.1-dev contain a patch.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/ckan/ckan-docker-base/security/advisories/GHSA-c74x-xfvr-x5wg
Scores
CVSS v3
8.8
EPSS
0.0079
EPSS Percentile
51.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-269
Status
published
Products (2)
okfn/ckan
2.10.0
okfn/ckan
< 2.9.9
Published
May 30, 2023
Tracked Since
Feb 18, 2026