ghsa-2hvh-cw5c-8q8q
Vulnerability from github
Published
2025-10-29 21:49
Modified
2025-10-29 21:49
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
Summary
CKAN vulnerable to fixed session IDs
Details

Impact

Session ids could be fixed by an attacker if the site is configured with server-side session storage (CKAN uses cookie-based session storage by default). The attacker would need to either set a cookie on the victim's browser or steal the victim's currently valid session. Session identifiers are now regenerated after each login.

Patches

This vulnerability has been fixed in CKAN 2.10.9 and 2.11.4

References

https://en.wikipedia.org/wiki/Session_fixation

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ckan"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.10.0"
            },
            {
              "fixed": "2.10.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ckan"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.11.0"
            },
            {
              "fixed": "2.11.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-64100"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-384"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-29T21:49:14Z",
    "nvd_published_at": "2025-10-29T18:15:42Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nSession ids could be fixed by an attacker if the site is configured with server-side session storage (CKAN uses cookie-based session storage by default). The attacker would need to either set a cookie on the victim\u0027s browser or steal the victim\u0027s currently valid session. Session identifiers are now regenerated after each login.\n\n### Patches\nThis vulnerability has been fixed in CKAN 2.10.9 and 2.11.4\n\n### References\n[https://en.wikipedia.org/wiki/Session_fixation](https://en.wikipedia.org/wiki/Session_fixation)",
  "id": "GHSA-2hvh-cw5c-8q8q",
  "modified": "2025-10-29T21:49:15Z",
  "published": "2025-10-29T21:49:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ckan/ckan/security/advisories/GHSA-2hvh-cw5c-8q8q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64100"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ckan/ckan/commit/c2fe437f88be850a6edf7a32470772428819fab5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ckan/ckan"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "CKAN vulnerable to fixed session IDs"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.