{"id":"CVE-2022-43685","details":"CKAN through 2.9.6 account takeovers by unauthenticated users when an existing user id is sent via an HTTP POST request. This allows a user to take over an existing account including superuser accounts.","aliases":["GHSA-m2xp-jxfg-qq6g","PYSEC-2022-42987"],"modified":"2026-04-10T04:52:09.287731Z","published":"2022-11-22T01:15:38.730Z","references":[{"type":"ADVISORY","url":"https://ckan.org/"},{"type":"ADVISORY","url":"https://ckan.org/blog/get-latest-patch-releases-your-ckan-site-october-2022"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ckan/ckan","events":[{"introduced":"0"},{"fixed":"d843f5e85879e442acde7d679b622014b3518746"},{"introduced":"ba0120dc0c798bbc9b6d8e9ad83db01a197ea179"},{"fixed":"0d714b258668ee78a0b19182c53b34689629df37"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.8.12"},{"introduced":"2.9.0"},{"fixed":"2.9.7"}]}}],"versions":["ckan-1.3.3b","ckan-1.4.3","ckan-1.5","ckan-2.8.0","ckan-2.8.1","ckan-2.8.10","ckan-2.8.11","ckan-2.8.2","ckan-2.8.3","ckan-2.8.4","ckan-2.8.5","ckan-2.8.6","ckan-2.8.7","ckan-2.8.8","ckan-2.9.0","ckan-2.9.1","ckan-2.9.2","ckan-2.9.3","ckan-2.9.4","ckan-2.9.5","ckan-2.9.6"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-43685.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}