[CKAN-Security] Responsible disclosure: CKAN
van Bockhaven, Cedric (NL - Amsterdam)
CvanBockhaven at deloitte.nl
Wed Feb 15 15:14:25 UTC 2017
Dear CKAN team,
During one of our security tests, we identified a number of potential security vulnerabilities in the CKAN portal software.
As a standard step of our responsible disclosure process, we contact the developer/owner of the product prior to applying for the relevant CVEs. This way, we want to make sure that there is enough time to fix the security issues, before we publish the technical details of our findings. Could you investigate and confirm the following issues? More details can be shared if required.
Moreover, could you confirm your policy for accrediting security professionals for identifying and responsibly disclosing these security issues? We would like to discuss with you the possibilities for accreditation.
Overview of identified vulnerabilities:
- Solr search server injection
- User enumeration via application functions
- No responsible disclosure policy
Please find attached the observations.
We look forward to hearing from you,
Kind regards,
Cedric
Cedric Van Bockhaven
Sr. Consultant | Cyber Risk Services
Deloitte Risk Advisory B.V.
Gustav Mahlerlaan 2970, 1081 LA, Amsterdam, The Netherlands
Tel/Direct +31882887908 | Mobile +31683330429
cvanbockhaven at deloitte.nl<mailto:cvanbockhaven at deloitte.nl> / www.deloitte.com<http://www.deloitte.com/>
*Disclaimer:*
________________________________
This e-mail message and its attachments are subject to the disclaimer published at the following website of Deloitte:
http://www2.deloitte.com/nl/nl/legal/Disclaimer.html
Deloitte Risk Advisory B.V is registered with the trade register in The Netherlands under number 50340158.
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ("DTTL"), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as "Deloitte Global") does not provide services to clients. Please see http://www2.deloitte.com/nl/nl/pages/about-deloitte/articles/over-deloitte.html for a more detailed description of DTTL and its member firms.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20170215/88e2b8cd/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CKAN.DOCX
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 301321 bytes
Desc: CKAN.DOCX
URL: <https://lists.okfn.org/mailman/private/security/attachments/20170215/88e2b8cd/attachment.docx>
More information about the Security
mailing list