Improper Handling of Length Parameter Inconsistency

CVE-2023-50248

Medium

6.5/10

Summary

CKAN is an open-source data management system for powering data hubs and data portals. In versions 2.0 through 2.9.9, and 2.10.0 through 2.10.2, when submitting a "POST" request to the `/dataset/new` endpoint (including either the auth cookie or the `Authorization` header) with a specially-crafted field, an attacker can create an out-of-memory error in the hosting server. To trigger this error, the attacker needs to have permission to create or edit datasets.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: NONE
Availability Impact: HIGH

CWE-130 - Improper Handling of Length Parameter Inconsistency

The software parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.

References

Advisory Timeline

Published Dec 13, 2023

Improper Handling of Length Parameter Inconsistency

CVE-2023-50248

Summary

CWE-130 - Improper Handling of Length Parameter Inconsistency

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS