GHSA-q6mv-284r-mp36

Source

https://github.com/advisories/GHSA-q6mv-284r-mp36

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-q6mv-284r-mp36/GHSA-q6mv-284r-mp36.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-q6mv-284r-mp36

Aliases

CVE-2024-53848

Published

2024-12-02T17:29:05Z

Modified

2024-12-02T17:42:20.739880Z

Severity

7.1 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N CVSS Calculator
6.1 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N CVSS Calculator

Summary

check-jsonschema default caching for remote schemas allows for cache confusion

Details

Impact

The default cache strategy uses the basename of a remote schema as the name of the file in the cache, e.g. https://example.org/schema.json will be stored as schema.json. This naming allows for conflicts. If an attacker can get a user to run check-jsonschema against a malicious schema URL, e.g., https://example.evil.org/schema.json, they can insert their own schema into the cache and it will be picked up and used instead of the appropriate schema.

Such a cache confusion attack could be used to allow data to pass validation which should have been rejected.

Patches

A patch is in progress but has not yet been released.

Workarounds

Users can use --no-cache to disable caching.
Users can use --cache-filename to select filenames for use in the cache, or to ensure that other usages do not overwrite the cached schema. (Note: this flag is being deprecated as part of the remediation effort.)
Users can explicitly download the schema before use as a local file, as in curl -LOs https://example.org/schema.json; check-jsonschema --schemafile ./schema.json

Database specific

{
    "nvd_published_at": "2024-11-29T19:15:09Z",
    "cwe_ids": [
        "CWE-349"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-02T17:29:05Z"
}

References

Affected packages

PyPI / check-jsonschema

Package

Name: check-jsonschema; View open source insights on deps.dev
Purl: pkg:pypi/check-jsonschema

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.30.0

Affected versions

0.*

0.1.0

0.1.1

0.2.0

0.2.1

0.3.0

0.3.1

0.3.2

0.4.0

0.4.1

0.5.0

0.5.1

0.6.0

0.7.0

0.7.1

0.8.0

0.8.1

0.8.2

0.9.0

0.9.1

0.10.0

0.10.1

0.10.2

0.11.0

0.12.0

0.13.0

0.14.0

0.14.1

0.14.2

0.14.3

0.15.0

0.15.1

0.16.0

0.16.1

0.16.2

0.17.0

0.17.1

0.18.0

0.18.1

0.18.2

0.18.3

0.18.4

0.19.0

0.19.1

0.19.2

0.20.0

0.21.0

0.22.0

0.23.0

0.23.1

0.23.2

0.23.3

0.24.0

0.24.1

0.25.0

0.26.0

0.26.1

0.26.2

0.26.3

0.27.0

0.27.1

0.27.2

0.27.3

0.27.4

0.28.0

0.28.1

0.28.2

0.28.3

0.28.4

0.28.5

0.28.6

0.29.0

0.29.1

0.29.2

0.29.3

0.29.4