[ckan-dev] CKAN vulnerable to HTTP response splitting

Adrià Mercader adria.mercader at okfn.org
Thu Sep 19 09:26:43 UTC 2019


Dear Eli,

Please don't discuss security related issues like this one in a public
forum like this list. Send your report and any additional information to
security at ckan.org so the issue can be discussed without putting other users
at risk.

2.5.x is an unsupported version, and there's a good chance that any
potential vulnerabilities have been patched on more recent versions. But
again let's discuss that on the security list.

Adrià

On Thu, 19 Sep 2019 at 10:32, Eli Agbayani <eagbayani at eol.org> wrote:

> Hi Everybody,
> Our CKAN portal is now using CKAN 2.5.9. We started from 2.5.2.
> I was told that a scanning tool (called Qualys) reported that our CKAN
> portal is vulnerable to
> HTTP response splitting
> <https://en.wikipedia.org/wiki/HTTP_response_splitting>. We are now on
> deadline to fix this vulnerability or else face being shutdown.
> IS THERE NOTHING IN CKAN CONFIG OR SETTINGS THAT CAN HELP ELIMINATE THIS
> VULNERABILITY.
>
> HTTP response splitting, is a common means of attack and many applications
> have native means to handle it.
> I hope CKAN has a way to protect itself from this type of attack.
> ANY INPUT WILL BE APPRECIATED.
>
> Thanks,
> Eli Agbayani
>
> _______________________________________________
> ckan-dev mailing list
> ckan-dev at lists.okfn.org
> https://lists.okfn.org/mailman/listinfo/ckan-dev
> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.okfn.org/pipermail/ckan-dev/attachments/20190919/c88eddca/attachment-0002.html>


More information about the ckan-dev mailing list