CVE-2024-43371
CVE-2024-43371 is a medium-severity vulnerability in Okfn Ckan with a CVSS 3.x base score of 4.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-918.
Key facts
- Severity: Medium (CVSS 3.x base score 4.5)
- EPSS exploit prediction: 0% (27th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2024-2583
- Weakness: CWE-918
- Affected product: Okfn Ckan
- Published:
- Last modified:
Description
CKAN is an open-source data management system for powering data hubs and data portals. There are a number of CKAN plugins, including XLoader, DataPusher, Resource proxy and ckanext-archiver, that work by downloading the contents of local or remote files in order to perform some actions with their contents (e.g. pushing to the DataStore, streaming contents or saving a local copy). All of them use the resource URL, and there are currently no checks to limit what URLs can be requested. This means that a malicious (or unaware) user can create a resource with a URL pointing to a place where they should not have access in order for one of the previous tools to retrieve it (known as a Server Side Request Forgery). Users wanting to protect against these kinds of attacks can use one or a combination of the following approaches: (1) Use a separate HTTP proxy like Squid that can be used to allow / disallow IPs, domains etc as needed, and make CKAN extensions aware of this setting via the ckan.download_proxy config option. (2) Implement custom firewall rules to prevent access to restricted resources. (3) Use custom validators on the resource url field to block/allow certain domains or IPs. All latest versions of the plugins listed above support the ckan.download_proxy settings. Support for this setting in the Resource Proxy plugin was included in CKAN 2.10.5 and 2.11.0.
Frequently asked questions
- What is CVE-2024-43371?
- CKAN is an open-source data management system for powering data hubs and data portals. There are a number of CKAN plugins, including XLoader, DataPusher, Resource proxy and ckanext-archiver, that work by downloading the contents of local or remote files in order to perform some actions with their contents (e.g. pushing to the DataStore, streaming contents or saving a local copy). All of them use the resource URL, and there are currently no checks to limit what URLs can be requested. This means that a malicious (or unaware) user can create a resource with a URL pointing to a place where they should not have access in order for one of the previous tools to retrieve it (known as a Server Side Request Forgery). Users wanting to protect against these kinds of attacks can use one or a combination of the following approaches: (1) Use a separate HTTP proxy like Squid that can be used to allow / disallow IPs, domains etc as needed, and make CKAN extensions aware of this setting via the ckan.download_proxy config option. (2) Implement custom firewall rules to prevent access to restricted resources. (3) Use custom validators on the resource url field to block/allow certain domains or IPs. All latest versions of the plugins listed above support the ckan.download_proxy settings. Support for this setting in the Resource Proxy plugin was included in CKAN 2.10.5 and 2.11.0.
- How severe is CVE-2024-43371?
- CVE-2024-43371 has a CVSS 3.x base score of 4.5, rated medium severity. It is exploitable over network with low attack complexity, requires high privileges and user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2024-43371 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (27th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2024-43371?
- CVE-2024-43371 affects Okfn Ckan. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2024-43371?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2024-43371 have an EU (EUVD) identifier?
- Yes. CVE-2024-43371 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-2583.
- When was CVE-2024-43371 published?
- CVE-2024-43371 was published on 2024-08-21 and last updated on 2026-06-17.
References
Affected products (1)
- cpe:2.3:a:okfn:ckan:*:*:*:*:*:*:*:*
More vulnerabilities in Okfn Ckan
- CVE-2026-42031 — Critical (CVSS 9.8): CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.10 and…
- CVE-2023-32321 — Critical (CVSS 9.8): CKAN is an open-source data management system for powering data hubs and data portals. Multiple vulnerabilities have…
- CVE-2026-42032 — Critical (CVSS 9.1): CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.10 and…
- CVE-2023-32696 — High (CVSS 8.8): CKAN is an open-source data management system for powering data hubs and data portals. Prior to versions 2.9.9 and…
- CVE-2022-43685 — High (CVSS 8.8): CKAN through 2.9.6 account takeovers by unauthenticated users when an existing user id is sent via an HTTP POST…
- CVE-2023-22746 — High (CVSS 8.6): CKAN is an open-source DMS (data management system) for powering data hubs and data portals. When creating a new…
All CVEs affecting Okfn Ckan →
Other CWE-918 (Server-Side Request Forgery (SSRF)) vulnerabilities
- CVE-2026-47938 — Critical (CVSS 10.0): Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier are affected by a Server-Side Request Forgery (SSRF)…
- CVE-2026-35431 — Critical (CVSS 10.0): Server-side request forgery (ssrf) in Microsoft Entra ID Entitlement Management allows an unauthorized attacker to…
- CVE-2026-32186 — Critical (CVSS 10.0): Server-side request forgery (ssrf) in Microsoft Bing allows an unauthorized attacker to elevate privileges over a…
- CVE-2026-33107 — Critical (CVSS 10.0): Server-side request forgery (ssrf) in Azure Databricks allows an unauthorized attacker to elevate privileges over a…
- CVE-2026-32871 — Critical (CVSS 10.0): FastMCP is a Pythonic way to build MCP servers and clients. Prior to version 3.2.0, the OpenAPIProvider in FastMCP…
- CVE-2026-32169 — Critical (CVSS 10.0): Server-side request forgery (ssrf) in Azure Cloud Shell allows an unauthorized attacker to elevate privileges over a…
Browse all CWE-918 (Server-Side Request Forgery (SSRF)) vulnerabilities →