4.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-43371

CVE-2024-43371: Potential access to sensitive URLs via CKAN extensions (SSRF)

Impact

There are a number of CKAN plugins, including XLoader, DataPusher, Resource proxy and ckanext-archiver, that work by downloading the contents of local or remote files in order to perform some actions with their contents (e.g. pushing to the DataStore, streaming contents or saving a local copy). All of them use the resource URL, and there are currently no checks to limit what URLs can be requested. This means that a malicious (or unaware) user can create a resource with a URL pointing to a place where they should not have access in order for one of the previous tools to retrieve it (known as a Server Side Request Forgery).

Patches and Workarounds

Users wanting to protect against these kinds of attacks can use one or a combination of the following approaches:

Use a separate HTTP proxy like Squid that can be used to allow / disallow IPs, domains etc as needed, and make CKAN extensions aware of this setting via the ckan.download_proxy config option.
Implement custom firewall rules to prevent access to restricted resources.
Use custom validators on the resource url field to block/allow certain domains or IPs.

All latest versions of the plugins linked above support the ckan.download_proxy settings. Support for this setting in the Resource Proxy plugin was included in CKAN 2.10.5 and 2.11.0

References

Blog post provides more details on how to configure a Squid proxy to prevent these issues

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-43371

CVE-2024-43371:

4.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
ckan	pip	< 2.10.5	2.10.5

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from CKAN extensions (like Resource Proxy) fetching resource URLs without proper validation. The advisory explicitly states that Resource Proxy added support for ckan.download_proxy in CKAN 2.10.5, implying prior versions lacked this safeguard. The proxy function in the Resource Proxy controller is directly responsible for fetching external URLs, making it the most likely vulnerable point. While other plugins (XLoader, DataPusher) are mentioned, the CKAN package's direct vulnerability relates to its Resource Proxy implementation. The provided commit diff only updates documentation, so the actual code fix for the vulnerability is inferred from the GHSA details and patched version notes.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-43371: Potential access to sensitive URLs via CKAN extensions (SSRF)

Impact

Patches and Workarounds

References

CVE-2024-43371:

4.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

4.5

4.5

CVE-2024-43371: Potential access to sensitive URLs via CKAN extensions (SSRF)

Impact

Patches and Workarounds

References

Basic Information

Basic Information

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI