{"id":"PYSEC-2022-42987","details":"CKAN through 2.9.6 account takeovers by unauthenticated users when an existing user id is sent via an HTTP POST request. This allows a user to take over an existing account including superuser accounts.","aliases":["CVE-2022-43685","GHSA-m2xp-jxfg-qq6g"],"modified":"2023-11-08T04:10:45.049673Z","published":"2022-11-22T01:15:00Z","references":[{"type":"WEB","url":"https://ckan.org/"},{"type":"ARTICLE","url":"https://ckan.org/blog/get-latest-patch-releases-your-ckan-site-october-2022"}],"affected":[{"package":{"name":"ckan","ecosystem":"PyPI","purl":"pkg:pypi/ckan"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.9.7"}]}],"versions":["0.11","0.3","0.4","0.5","0.6","0.7","0.8","1.0","1.1","1.2","1.3","1.3.2","1.3.3","1.4","1.4.1","1.4.2","1.4.3","1.4.3.1","1.5","1.5.1","1.6","1.7","1.7.1","1.8","2.0","2.0.1","2.0.7","2.0.8","2.1","2.1.1","2.1.5","2.1.6","2.2","2.2.1","2.2.3","2.2.4","2.3","2.3.1","2.3.2","2.3.3","2.3.4","2.3.5","2.4.0","2.4.1","2.4.2","2.4.3","2.4.4","2.4.5","2.4.8","2.4.9","2.5.0","2.5.1","2.5.2","2.5.3","2.5.4","2.5.6","2.5.7","2.5.8","2.5.9","2.6.0","2.6.1","2.6.3","2.6.4","2.6.5","2.6.6","2.6.7","2.6.8","2.6.9","2.7.0","2.7.1","2.7.10","2.7.11","2.7.12","2.7.2","2.7.3","2.7.4","2.7.5","2.7.6","2.7.7","2.7.8","2.7.9","2.8.0","2.8.1","2.8.10","2.8.11","2.8.12","2.8.2","2.8.3","2.8.4","2.8.5","2.8.6","2.8.7","2.8.8","2.8.9","2.9.0","2.9.1","2.9.2","2.9.3","2.9.4","2.9.5","2.9.6"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/ckan/PYSEC-2022-42987.yaml"}}],"schema_version":"1.7.3"}