CVE-2023-50248

MEDIUM4.5EPSS 0.18%

Out of memory error when submitting the dataset form with a specially-crafted field

Published: 12/13/2023Modified: 2/16/2024

Description

### Impact When submitting a POST request to the `/dataset/new` endpoint (including either the auth cookie or the `Authorization` header) with a specially-crafted field, an attacker can create an out-of-memory error in the hosting server. To trigger this error the user needs to have permissions to create or edit datasets. ### Patches This vulnerability has been patched in CKAN 2.10.3 and 2.9.10

Affected packages (1)

PyPI/ckan>= 2.0, < 2.9.10

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.5	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-50248
PATCHhttps://github.com/ckan/ckan
WEBhttps://github.com/ckan/ckan/commit/bd02018b65c5b81d7ede195d00d0fcbac3aa33be
WEBhttps://github.com/ckan/ckan/security/advisories/GHSA-7fgc-89cx-w8j5