Attacker Impact
An unauthenticated attacker can execute arbitrary SQL commands against the CKAN datastore [S2]. This allows for the unauthorized retrieval of sensitive data, modification of existing records, or deletion of datasets [S3]. Furthermore, the flaw enables attackers to bypass authorization checks, potentially accessing private data that should be restricted to specific users or organizations [S2].
Root Cause
The vulnerability stems from a failure in the datastore_search_sql API action to properly sanitize user input and enforce access controls [S2]. Specifically, the endpoint allows raw SQL queries to be submitted without adequate parameterization or validation, leading to SQL injection (CWE-89) [S1]. Additionally, the authorization logic (CWE-863) is insufficient, allowing unauthenticated requests to reach the query execution engine [S3].
Affected Versions
CKAN versions prior to 2.10.10 are affected by this vulnerability [S2].
Concrete Fixes
- Upgrade CKAN: Update your CKAN installation to version 2.10.10 or later to resolve the SQL injection and authorization bypass issues [S2].
How FixVibe could detect it
FixVibe can detect this vulnerability by identifying CKAN instances running versions prior to 2.10.10 [S2]. It can also verify the exposure of the datastore_search_sql API endpoint to unauthenticated requests, which is a primary characteristic of this vulnerability [S3].