CVE-2024-41675
📋 TL;DR
This vulnerability allows cross-site scripting (XSS) attacks in CKAN's Datatables view plugin due to improper escaping of data from the DataStore. Attackers can inject malicious scripts that execute in users' browsers when viewing tabular data previews. Sites running CKAN 2.7.0 or later with the datatables_view plugin activated are affected.
💻 Affected Systems
- CKAN
📦 What is this software?
Ckan by Okfn
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal session cookies, credentials, or sensitive data from authenticated users, potentially gaining administrative access to the CKAN instance.
Likely Case
Attackers inject malicious scripts that deface pages, redirect users to phishing sites, or steal limited session data from users viewing vulnerable data previews.
If Mitigated
With proper Content Security Policy (CSP) headers and other web security controls, script execution is blocked, limiting impact to minor data leakage.
🎯 Exploit Status
Exploitation requires the attacker to have data entry/modification privileges in the DataStore or trick users into viewing maliciously crafted data.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.10.5 or 2.11.0
Vendor Advisory: https://github.com/ckan/ckan/security/advisories/GHSA-r3jc-vhf4-6v32
Restart Required: Yes
Instructions:
1. Upgrade CKAN to version 2.10.5 or 2.11.0. 2. Restart the CKAN application server (e.g., Apache, Nginx, Gunicorn). 3. Verify the datatables_view plugin properly escapes data.
🔧 Temporary Workarounds
Disable Datatables View Plugin
allDeactivate the vulnerable plugin to eliminate the attack vector.
ckan plugin disable datatables_view
Implement Content Security Policy
allAdd CSP headers to block inline script execution and restrict script sources.
Add 'Content-Security-Policy: script-src 'self'' to web server configuration
🧯 If You Can't Patch
- Disable the datatables_view plugin immediately using 'ckan plugin disable datatables_view'.
- Implement strict Content Security Policy headers to prevent script execution from untrusted sources.
🔍 How to Verify
Check if Vulnerable:
Check if CKAN version is >= 2.7.0 and datatables_view plugin is enabled using 'ckan plugin show'.Check Version:
ckan --versionVerify Fix Applied:
Verify CKAN version is 2.10.5 or 2.11.0 using 'ckan --version' and test data previews for proper HTML escaping.📡 Detection & Monitoring
Log Indicators:
- Unusual JavaScript payloads in DataStore entries or URL parameters
- Multiple requests to datatables_view endpoints with suspicious parameters
Network Indicators:
- Outbound connections to external domains from CKAN pages that shouldn't have them
- Suspicious script tags in HTTP responses from datatables_view
SIEM Query:
source="ckan" AND (uri_path="/dataset/*/resource/*/view" OR uri_path LIKE "%/datatables_view%") AND (http_user_agent LIKE "%script%" OR http_query LIKE "%<script>%")