CVE-2023-22746: 
NixOS vulnerability analysis and mitigation

CKAN (Comprehensive Knowledge Archive Network) is an open-source data management system that was found to have a security vulnerability identified as CVE-2023-22746. The vulnerability was discovered when Docker images were using the same default secret key across different CKAN instances, potentially allowing attackers to forge authentication requests. This issue was disclosed on February 3, 2023, and affected multiple Docker image distributions including ckan/ckan-docker, okfn/docker-ckan, and keitaroinc/docker-ckan. The vulnerability received a CVSS v3.1 score of 7.5, indicating HIGH severity (NVD).

The vulnerability stemmed from the use of a shared default secret key across different CKAN instances when creating new containers based on affected Docker images. If users didn't set a custom value via environment variables in the .env file, the shared key made it possible for attackers to forge authentication requests. The affected Docker images included ckan/ckan-base images from ckan/ckan-docker, openknowledge/ckan-base and openknowledge/ckan-dev images from okfn/docker-ckan, and keitaro/ckan images from keitaroinc/docker-ckan. Notably, the legacy images (ckan/ckan) in the main CKAN repository were not affected by this issue (GitHub Advisory).

The vulnerability could allow attackers to forge authentication requests across different CKAN instances that were using the default secret key. This could potentially lead to unauthorized access to CKAN installations and compromise of user sessions. The severity of the impact is reflected in the HIGH CVSS score of 7.5, indicating significant potential for security breaches in affected systems (NVD).

The vulnerability was patched in all affected Docker images to generate fresh keys each time a container is created. Users should pull the latest version of the relevant image to implement the fix. However, implementing the patch will invalidate all existing sessions (forcing users to log in again) and existing API tokens. It is recommended to persist the session secret key using appropriate methods such as environment variables or mounted ini files. Users who had already overridden the default secret key in their .env file were not affected by this vulnerability (GitHub Advisory).