Bugs
- The
ckan
user (equivalent to www-data) owned code and configuration files in the docker container.
- The
ckan
user had the permissions to use sudo
Impact
These bugs allow for (1) code execution or (2) privilege escalation if an arbitrary file write bug is available.
Patches
These vulnerabilities have been fixed in the images tagged ckan-base:2.9.9
, ckan-base:2.9.9-dev
, ckan-base:2.10.1
and ckan-base:2.10.1-dev
Bugs
ckan
user (equivalent to www-data) owned code and configuration files in the docker container.ckan
user had the permissions to use sudoImpact
These bugs allow for (1) code execution or (2) privilege escalation if an arbitrary file write bug is available.
Patches
These vulnerabilities have been fixed in the images tagged
ckan-base:2.9.9
,ckan-base:2.9.9-dev
,ckan-base:2.10.1
andckan-base:2.10.1-dev