CKAN Session Fixation Vulnerability Allowing Session ID Manipulation

A session fixation vulnerability has been identified in CKAN, an open-source data management system, in versions prior to 2.10.9 and 2.11.4. When configured with server-side session storage, session IDs could be manipulated by an attacker. The attacker would need to either set a cookie in the victim's browser or steal an active session cookie. This issue has been addressed by ensuring that session identifiers are regenerated after each login.

Impact

Exploitation of this vulnerability allowed for session fixation, where an attacker could manipulate session IDs, potentially leading to unauthorized actions within the user's session.

Reproduction

To reproduce this vulnerability, configure CKAN to use server-side session storage. An attacker can then either set a cookie in the victim's browser or steal a valid session cookie. Once the cookie is set or stolen, the attacker can hijack the user's session, as the session ID can be fixed and controlled.

Remediation

Users can upgrade to CKAN versions 2.10.9 or 2.11.4 to address this vulnerability.