### Impact A vulnerability in `datastore_search_sql` allowed attackers to inject SQL in order to gain access to private resources and PostgreSQL system information. ### Patches The issue has been patched in CKAN 2.10.10 and CKAN 2.11.5 ### Workarounds Disable the DataStore SQL search (`ckan.datastore.sqlsearch.enabled = false`). Note that the SQL search is disabled by default. ### More informa

### Impact OGC API - Process execution requests can use the `subscriber` object to requests to internal HTTP services. ### Patches The issue has been patched in master branch and made available as part of the 0.23.3 release. The patch disables any HTTP requests made to internal resources by default (unless explicitly defined in configuration by a new `allow_internal_requests` directive. The com

### Impact A raw string path concatenation vulnerability in pygeoapi's STAC FileSystemProvider plugin can allow for requests to STAC collection based collections to expose directories without authentication. The issue manifests when pygeoapi is deployed without a proxy or web front end that would normalize URLs with `..` values, along with a resource of type `stac-collection` defined in configura

Views can be marked as exempt from CSRF protection Access to the views via tokens or unauthenticated requests marked the endpoint as not requiring CSRF protection. The marking was a member variable in flask-wtf.csrf.CSRFProtect(), which was stored as a module level variable in the flask_app middleware. Thsi API was never intended for request level changes, it is primarily a decorator for stati