{"id":"GHSA-m2xp-jxfg-qq6g","summary":"CKAN contains Improper Authentication leading to account takeover","details":"CKAN through 2.9.6 account takeovers by unauthenticated users when an existing user id is sent via an HTTP POST request. This allows a user to take over an existing account including superuser accounts.","aliases":["CVE-2022-43685","PYSEC-2022-42987"],"modified":"2025-04-29T13:22:17.099447Z","published":"2022-11-22T03:30:56Z","database_specific":{"severity":"HIGH","nvd_published_at":"2022-11-22T01:15:00Z","github_reviewed_at":"2023-02-02T16:59:55Z","github_reviewed":true,"cwe_ids":["CWE-287","CWE-862"]},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-43685"},{"type":"WEB","url":"https://ckan.org"},{"type":"WEB","url":"https://ckan.org/blog/get-latest-patch-releases-your-ckan-site-october-2022"},{"type":"PACKAGE","url":"https://github.com/ckan/ckan"},{"type":"WEB","url":"https://github.com/pypa/advisory-database/tree/main/vulns/ckan/PYSEC-2022-42987.yaml"}],"affected":[{"package":{"name":"ckan","ecosystem":"PyPI","purl":"pkg:pypi/ckan"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.9.7"}]}],"versions":["0.11","0.3","0.4","0.5","0.6","0.7","0.8","1.0","1.1","1.2","1.3","1.3.2","1.3.3","1.4","1.4.1","1.4.2","1.4.3","1.4.3.1","1.5","1.5.1","1.6","1.7","1.7.1","1.8","2.0","2.0.1","2.0.7","2.0.8","2.1","2.1.1","2.1.5","2.1.6","2.2","2.2.1","2.2.3","2.2.4","2.3","2.3.1","2.3.2","2.3.3","2.3.4","2.3.5","2.4.0","2.4.1","2.4.2","2.4.3","2.4.4","2.4.5","2.4.8","2.4.9","2.5.0","2.5.1","2.5.2","2.5.3","2.5.4","2.5.6","2.5.7","2.5.8","2.5.9","2.6.0","2.6.1","2.6.3","2.6.4","2.6.5","2.6.6","2.6.7","2.6.8","2.6.9","2.7.0","2.7.1","2.7.10","2.7.11","2.7.12","2.7.2","2.7.3","2.7.4","2.7.5","2.7.6","2.7.7","2.7.8","2.7.9","2.8.0","2.8.1","2.8.10","2.8.11","2.8.12","2.8.2","2.8.3","2.8.4","2.8.5","2.8.6","2.8.7","2.8.8","2.8.9","2.9.0","2.9.1","2.9.2","2.9.3","2.9.4","2.9.5","2.9.6"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-m2xp-jxfg-qq6g/GHSA-m2xp-jxfg-qq6g.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}