[CKAN-Security] Responsible disclosure: CKAN

van Bockhaven, Cedric (NL - Amsterdam) CvanBockhaven at deloitte.nl
Wed Feb 22 09:33:31 UTC 2017


Dear CKAN team,

Could you please confirm receipt of the below email?

Many thanks,
Cedric

From: van Bockhaven, Cedric (NL - Amsterdam)
Sent: woensdag 15 februari 2017 16:13
To: 'security at ckan.org' <security at ckan.org>
Cc: Davies, Ari (NL - Amsterdam) <ADavies at deloitte.nl>; Karouzos, Nikos (NL - Amsterdam) <NiKarouzos at deloitte.nl>; van Veen, Michel (NL - Amsterdam) <MvanVeen at deloitte.nl>; Novickis, Tomas (NL - Amsterdam) <TNovickis at deloitte.nl>; Ariaan.Siezen at radboudumc.nl
Subject: Responsible disclosure: CKAN

Dear CKAN team,

During one of our security tests, we identified a number of potential security vulnerabilities in the CKAN portal software.

As a standard step of our responsible disclosure process, we contact the developer/owner of the product prior to applying for the relevant CVEs. This way, we want to make sure that there is enough time to fix the security issues, before we publish the technical details of our findings. Could you investigate and confirm the following issues? More details can be shared if required.
Moreover, could you confirm your policy for accrediting security professionals for identifying and responsibly disclosing these security issues? We would like to discuss with you the possibilities for accreditation.
Overview of identified vulnerabilities:
   - Solr search server injection
   - User enumeration via application functions
   - No responsible disclosure policy
Please find attached the observations.
We look forward to hearing from you,
Kind regards,
Cedric

Cedric Van Bockhaven
Sr. Consultant | Cyber Risk Services
Deloitte Risk Advisory B.V.
Gustav Mahlerlaan 2970, 1081 LA, Amsterdam, The Netherlands
Tel/Direct +31882887908 | Mobile +31683330429
cvanbockhaven at deloitte.nl<mailto:cvanbockhaven at deloitte.nl> / www.deloitte.com<http://www.deloitte.com/>
*Disclaimer:*
________________________________
This e-mail message and its attachments are subject to the disclaimer published at the following website of Deloitte:
http://www2.deloitte.com/nl/nl/legal/Disclaimer.html
Deloitte Risk Advisory B.V is registered with the trade register in The Netherlands under number 50340158.

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ("DTTL"), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as "Deloitte Global") does not provide services to clients. Please see http://www2.deloitte.com/nl/nl/pages/about-deloitte/articles/over-deloitte.html for a more detailed description of DTTL and its member firms.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20170222/5921b371/attachment-0001.html>


More information about the Security mailing list