{"id":"CVE-2024-43371","summary":"Potential access to sensitive URLs via CKAN extensions (SSRF)","details":"CKAN is an open-source data management system for powering data hubs and data portals. There are a number of CKAN plugins, including XLoader, DataPusher, Resource proxy and ckanext-archiver, that work by downloading the contents of local or remote files in order to perform some actions with their contents (e.g. pushing to the DataStore, streaming contents or saving a local copy). All of them use the resource URL, and there are currently no checks to limit what URLs can be requested. This means that a malicious (or unaware) user can create a resource with a URL pointing to a place where they should not have access in order for one of the previous tools to retrieve it (known as a Server Side Request Forgery). Users wanting to protect against these kinds of attacks can use one or a combination of the following approaches: (1) Use a separate HTTP proxy like Squid that can be used to allow / disallow IPs, domains etc as needed, and make CKAN extensions aware of this setting via the ckan.download_proxy config option. (2) Implement custom firewall rules to prevent access to restricted resources. (3) Use custom validators on the resource url field to block/allow certain domains or IPs. All latest versions of the plugins listed above support the ckan.download_proxy settings. Support for this setting in the Resource Proxy plugin was included in CKAN 2.10.5 and 2.11.0.","aliases":["GHSA-g9ph-j5vj-f8wm"],"modified":"2026-03-12T03:41:01.315578Z","published":"2024-08-21T14:47:31.160Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-918"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/43xxx/CVE-2024-43371.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/43xxx/CVE-2024-43371.json"},{"type":"ADVISORY","url":"https://github.com/ckan/ckan/security/advisories/GHSA-g9ph-j5vj-f8wm"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-43371"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ckan/ckan","events":[{"introduced":"0"},{"fixed":"66abe426634625b9cad7a67728e481f554436412"}]}],"versions":["ckan-1.3.3b","ckan-1.4","ckan-1.4.1","ckan-1.4.2","ckan-1.4.3","ckan-1.5","ckan-1.5.1","ckan-1.6","ckan-1.7","ckan-2.10.0","ckan-2.10.1","ckan-2.10.2","ckan-2.10.3","ckan-2.10.4","demo-0.1","demo-0.2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-43371.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N"}]}