Bugs
- The
ckan user (equivalent to www-data) owned code and configuration files in the docker container.
- The
ckan user had the permissions to use sudo
Impact
These bugs allow for (1) code execution or (2) privilege escalation if an arbitrary file write bug is available.
Patches
These vulnerabilities have been fixed in the images tagged ckan-base:2.9.9, ckan-base:2.9.9-dev, ckan-base:2.10.1 and ckan-base:2.10.1-dev
Bugs
ckanuser (equivalent to www-data) owned code and configuration files in the docker container.ckanuser had the permissions to use sudoImpact
These bugs allow for (1) code execution or (2) privilege escalation if an arbitrary file write bug is available.
Patches
These vulnerabilities have been fixed in the images tagged
ckan-base:2.9.9,ckan-base:2.9.9-dev,ckan-base:2.10.1andckan-base:2.10.1-dev