CVE-2025-64100
BaseFortify
Publication date: 2025-10-29
Last updated on: 2025-10-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ckan | ckan | 2.10.9 |
| ckan | ckan | 2.11.4 |
| ckan | ckan | 2.10.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-384 | Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in CKAN allows an attacker to fix a session ID if the site is configured with server-side session storage. The attacker can do this by setting a cookie on the victim's browser or stealing the victim's valid session. This means the attacker can hijack the victim's session. The issue has been fixed by regenerating session identifiers after each login in CKAN versions 2.10.9 and 2.11.4.
How can this vulnerability impact me? :
The vulnerability can lead to session fixation attacks, allowing an attacker to hijack a user's session. This can result in unauthorized access to the victim's account or data within the CKAN system, potentially compromising sensitive information.
What immediate steps should I take to mitigate this vulnerability?
Upgrade CKAN to version 2.10.9 or 2.11.4 or later, as these versions include a fix that regenerates session identifiers after each login, preventing session fixation attacks. Additionally, ensure that your CKAN installation is not configured to use server-side session storage, or if it is, take extra precautions to protect session cookies from being set or stolen by attackers.