CVE-2023-32321: 
Python vulnerability analysis and mitigation

CKAN (Comprehensive Knowledge Archive Network) was found to contain multiple critical vulnerabilities identified as CVE-2023-32321, discovered and disclosed on May 24, 2023. The vulnerabilities affect CKAN versions before 2.9.9 and 2.10.1, impacting the open-source data management system used for powering data hubs and data portals (GitHub Advisory, NVD).

The vulnerability consists of multiple components: an arbitrary file write vulnerability in resource_create and package_update actions (also accessible via package_create, package_revise, and package_patch), remote code execution through unsafe pickle loading via Beaker's session store when using the file session store backend, potential denial of service due to missing resource ID length validation, and unauthorized access to resources. The vulnerability has received a CVSS v3.1 base score of 9.8 CRITICAL with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerabilities allow attackers with permissions to create or edit a dataset to upload resources with specially crafted IDs, potentially leading to arbitrary file writes and remote code execution. Additionally, users with resource creation permissions can access and overwrite any resource in the system if they know the ID, even without proper access rights, leading to information disclosure and potential system compromise (GitHub Advisory).

All vulnerabilities have been patched in CKAN versions 2.9.9 and 2.10.1. Users are strongly advised to upgrade to these versions. The patches for CKAN 2.9 can be applied to previous CKAN versions. Additionally, it is recommended to configure Beaker to use cookie-based sessions instead of file-based storage using specific configuration parameters in ckan.ini (GitHub Advisory).