CVE-2023-22746 – This vulnerability allows attackers to forge au... (How to Fix)

Q: What is the severity of CVE-2023-22746?

CVE-2023-22746 has a CVSS score of 8.6 (HIGH). This vulnerability allows attackers to forge authentication requests against CKAN instances using default Docker images. It affects users who deployed CKAN via specific Docker images without overriding the default secret key. The shared secret key across instances enables session hijacking and unauthorized access.

📋 TL;DR

This vulnerability allows attackers to forge authentication requests against CKAN instances using default Docker images. It affects users who deployed CKAN via specific Docker images without overriding the default secret key. The shared secret key across instances enables session hijacking and unauthorized access.

💻 Affected Systems

Products:

ckan/ckan-docker
ckan/ckan-base
okfn/docker-ckan
openknowledge/ckan-base
openknowledge/ckan-dev
keitaroinc/docker-ckan
keitaro/ckan

Versions: All versions using default secret key configuration

Operating Systems: All platforms running affected Docker images

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Docker-based deployments with default secret key. Legacy ckan/ckan images and instances with custom secret keys in .env file are not vulnerable.

📦 What is this software?

Ckan by Okfn

View all CVEs affecting Ckan →

Ckan by Okfn

View all CVEs affecting Ckan →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of CKAN instances allowing data manipulation, privilege escalation, and unauthorized administrative access across all affected deployments.

🟠

Likely Case

Session hijacking leading to unauthorized data access, user impersonation, and potential data exfiltration from vulnerable CKAN portals.

🟢

If Mitigated

No impact if custom secret key is properly configured via environment variables in the .env file.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires knowledge of the default secret key but is straightforward once obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Images updated after advisory publication

Vendor Advisory: https://github.com/ckan/ckan/security/advisories/GHSA-pr8j-v4c8-h62x

Restart Required: Yes

Instructions:

1. Update to latest Docker images from affected repositories. 2. Ensure CKAN_SECRET environment variable is set uniquely per instance. 3. Restart all CKAN containers.

🔧 Temporary Workarounds

Set Custom Secret Key

all

Override default secret key with unique value per instance

echo 'CKAN_SECRET=your_unique_secret_key_here' >> .env

🧯 If You Can't Patch

Immediately set unique CKAN_SECRET environment variable in .env file for each instance
Rotate all session tokens and force user re-authentication across all instances

🔍 How to Verify

Check if Vulnerable:

Check if CKAN_SECRET environment variable is set in .env file or container configuration. If using default or empty value, instance is vulnerable.

Check Version:

docker inspect [container_name] | grep -i ckan

Verify Fix Applied:

Verify CKAN_SECRET is set to unique value and differs from default. Check container logs for successful restart with new configuration.

📡 Detection & Monitoring

Log Indicators:

Multiple failed authentication attempts from same source
Unexpected successful logins from unfamiliar locations
Session ID reuse across different user agents/IPs

Network Indicators:

Unusual authentication request patterns
Multiple session creation requests in short timeframes

SIEM Query:

source="ckan" AND (event="authentication" OR event="session") | stats count by src_ip, user

📊 Metadata

CVE ID: CVE-2023-22746

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

CWE: CWE-330

Published: February 3, 2023

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-22746, you might also want to check these: