CVE-2022-43685: CKAN contains Improper Authentication leading to account takeover

November 22, 2022 (updated April 29, 2025)

CKAN through 2.9.6 account takeovers by unauthenticated users when an existing user id is sent via an HTTP POST request. This allows a user to take over an existing account including superuser accounts.

References

ckan.org/
ckan.org/blog/get-latest-patch-releases-your-ckan-site-october-2022
github.com/advisories/GHSA-m2xp-jxfg-qq6g
github.com/ckan/ckan
github.com/pypa/advisory-database/tree/main/vulns/ckan/PYSEC-2022-42987.yaml
nvd.nist.gov/vuln/detail/CVE-2022-43685

Code Behaviors & Features

Detect and mitigate CVE-2022-43685 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →