CVE-2024-53848 – check-jsonschema

Package

Manager: pip
Name: check-jsonschema
Vulnerable Version: >=0 <0.30.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N

EPSS: 0.00022 pctl0.04378

Details

check-jsonschema default caching for remote schemas allows for cache confusion ### Impact The default cache strategy uses the basename of a remote schema as the name of the file in the cache, e.g. `https://example.org/schema.json` will be stored as `schema.json`. This naming allows for conflicts. If an attacker can get a user to run `check-jsonschema` against a malicious schema URL, e.g., `https://example.evil.org/schema.json`, they can insert their own schema into the cache and it will be picked up and used instead of the appropriate schema. Such a cache confusion attack could be used to allow data to pass validation which should have been rejected. ### Patches A patch is in progress but has not yet been released. ### Workarounds - Users can use `--no-cache` to disable caching. - Users can use `--cache-filename` to select filenames for use in the cache, or to ensure that other usages do not overwrite the cached schema. (Note: this flag is being deprecated as part of the remediation effort.) - Users can explicitly download the schema before use as a local file, as in `curl -LOs https://example.org/schema.json; check-jsonschema --schemafile ./schema.json`

Metadata

Created: 2024-12-02T17:29:05Z
Modified: 2024-12-02T17:29:05Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-q6mv-284r-mp36/GHSA-q6mv-284r-mp36.json
CWE IDs: ["CWE-349"]
Alternative ID: GHSA-q6mv-284r-mp36
Finding: F184
Auto approve: 1