CVE-2024-53848 (GCVE-0-2024-53848)
Vulnerability from cvelistv5
Published
2024-11-29 18:39
Modified
2024-12-02 22:20
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-349 - Acceptance of Extraneous Untrusted Data With Trusted Data
Summary
check-jsonschema is a CLI and set of pre-commit hooks for jsonschema validation. The default cache strategy uses the basename of a remote schema as the name of the file in the cache, e.g. `https://example.org/schema.json` will be stored as `schema.json`. This naming allows for conflicts. If an attacker can get a user to run `check-jsonschema` against a malicious schema URL, e.g., `https://example.evil.org/schema.json`, they can insert their own schema into the cache and it will be picked up and used instead of the appropriate schema. Such a cache confusion attack could be used to allow data to pass validation which should have been rejected. This issue has been patched in version 0.30.0. All users are advised to upgrade. A few workarounds exist: 1. Users can use `--no-cache` to disable caching. 2. Users can use `--cache-filename` to select filenames for use in the cache, or to ensure that other usages do not overwrite the cached schema. (Note: this flag is being deprecated as part of the remediation effort.) 3. Users can explicitly download the schema before use as a local file, as in `curl -LOs https://example.org/schema.json; check-jsonschema --schemafile ./schema.json`
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| python-jsonschema | check-jsonschema |
Version: < 0.30.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-53848",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-02T22:19:56.819438Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-02T22:20:06.647Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "check-jsonschema",
"vendor": "python-jsonschema",
"versions": [
{
"status": "affected",
"version": "\u003c 0.30.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "check-jsonschema is a CLI and set of pre-commit hooks for jsonschema validation. The default cache strategy uses the basename of a remote schema as the name of the file in the cache, e.g. `https://example.org/schema.json` will be stored as `schema.json`. This naming allows for conflicts. If an attacker can get a user to run `check-jsonschema` against a malicious schema URL, e.g., `https://example.evil.org/schema.json`, they can insert their own schema into the cache and it will be picked up and used instead of the appropriate schema. Such a cache confusion attack could be used to allow data to pass validation which should have been rejected. This issue has been patched in version 0.30.0. All users are advised to upgrade. A few workarounds exist: 1. Users can use `--no-cache` to disable caching. 2. Users can use `--cache-filename` to select filenames for use in the cache, or to ensure that other usages do not overwrite the cached schema. (Note: this flag is being deprecated as part of the remediation effort.) 3. Users can explicitly download the schema before use as a local file, as in `curl -LOs https://example.org/schema.json; check-jsonschema --schemafile ./schema.json`"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-349",
"description": "CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-29T18:39:11.195Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/python-jsonschema/check-jsonschema/security/advisories/GHSA-q6mv-284r-mp36",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/python-jsonschema/check-jsonschema/security/advisories/GHSA-q6mv-284r-mp36"
},
{
"name": "https://github.com/python-jsonschema/check-jsonschema/commit/c52714b85e6725b1b24516fbdedacb333b939152",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/python-jsonschema/check-jsonschema/commit/c52714b85e6725b1b24516fbdedacb333b939152"
}
],
"source": {
"advisory": "GHSA-q6mv-284r-mp36",
"discovery": "UNKNOWN"
},
"title": "check-jsonschema default caching for remote schemas allows for cache confusion"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-53848",
"datePublished": "2024-11-29T18:39:11.195Z",
"dateReserved": "2024-11-22T17:30:02.140Z",
"dateUpdated": "2024-12-02T22:20:06.647Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-53848\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-11-29T19:15:09.290\",\"lastModified\":\"2024-11-29T19:15:09.290\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"check-jsonschema is a CLI and set of pre-commit hooks for jsonschema validation. The default cache strategy uses the basename of a remote schema as the name of the file in the cache, e.g. `https://example.org/schema.json` will be stored as `schema.json`. This naming allows for conflicts. If an attacker can get a user to run `check-jsonschema` against a malicious schema URL, e.g., `https://example.evil.org/schema.json`, they can insert their own schema into the cache and it will be picked up and used instead of the appropriate schema. Such a cache confusion attack could be used to allow data to pass validation which should have been rejected. This issue has been patched in version 0.30.0. All users are advised to upgrade. A few workarounds exist: 1. Users can use `--no-cache` to disable caching. 2. Users can use `--cache-filename` to select filenames for use in the cache, or to ensure that other usages do not overwrite the cached schema. (Note: this flag is being deprecated as part of the remediation effort.) 3. Users can explicitly download the schema before use as a local file, as in `curl -LOs https://example.org/schema.json; check-jsonschema --schemafile ./schema.json`\"},{\"lang\":\"es\",\"value\":\"check-jsonschema es una CLI y un conjunto de ganchos de pre-confirmaci\u00f3n para la validaci\u00f3n de jsonschema. La estrategia de cach\u00e9 predeterminada utiliza el nombre base de un esquema remoto como el nombre del archivo en la cach\u00e9, p. ej., `https://example.org/schema.json` se almacenar\u00e1 como `schema.json`. Este nombre permite conflictos. Si un atacante puede lograr que un usuario ejecute `check-jsonschema` contra una URL de esquema malintencionada, p. ej., `https://example.evil.org/schema.json`, puede insertar su propio esquema en la cach\u00e9 y se seleccionar\u00e1 y usar\u00e1 en lugar del esquema apropiado. Un ataque de confusi\u00f3n de cach\u00e9 de este tipo podr\u00eda usarse para permitir que los datos pasen la validaci\u00f3n que deber\u00edan haber sido rechazados. Este problema se ha corregido en la versi\u00f3n 0.30.0. Se recomienda a todos los usuarios que actualicen. Existen algunos workaround: 1. Los usuarios pueden usar `--no-cache` para deshabilitar el almacenamiento en cach\u00e9. 2. Los usuarios pueden usar `--cache-filename` para seleccionar nombres de archivos para usar en la memoria cach\u00e9 o para garantizar que otros usos no sobrescriban el esquema almacenado en cach\u00e9. (Nota: esta opci\u00f3n se est\u00e1 descontinuando como parte del esfuerzo de remediaci\u00f3n). 3. Los usuarios pueden descargar expl\u00edcitamente el esquema antes de usarlo como un archivo local, como en `curl -LOs https://example.org/schema.json; check-jsonschema --schemafile ./schema.json`\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.5,\"impactScore\":4.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-349\"}]}],\"references\":[{\"url\":\"https://github.com/python-jsonschema/check-jsonschema/commit/c52714b85e6725b1b24516fbdedacb333b939152\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/python-jsonschema/check-jsonschema/security/advisories/GHSA-q6mv-284r-mp36\",\"source\":\"security-advisories@github.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-53848\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-12-02T22:19:56.819438Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-12-02T22:20:02.556Z\"}}], \"cna\": {\"title\": \"check-jsonschema default caching for remote schemas allows for cache confusion\", \"source\": {\"advisory\": \"GHSA-q6mv-284r-mp36\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 7.1, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"python-jsonschema\", \"product\": \"check-jsonschema\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.30.0\"}]}], \"references\": [{\"url\": \"https://github.com/python-jsonschema/check-jsonschema/security/advisories/GHSA-q6mv-284r-mp36\", \"name\": \"https://github.com/python-jsonschema/check-jsonschema/security/advisories/GHSA-q6mv-284r-mp36\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/python-jsonschema/check-jsonschema/commit/c52714b85e6725b1b24516fbdedacb333b939152\", \"name\": \"https://github.com/python-jsonschema/check-jsonschema/commit/c52714b85e6725b1b24516fbdedacb333b939152\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"check-jsonschema is a CLI and set of pre-commit hooks for jsonschema validation. The default cache strategy uses the basename of a remote schema as the name of the file in the cache, e.g. `https://example.org/schema.json` will be stored as `schema.json`. This naming allows for conflicts. If an attacker can get a user to run `check-jsonschema` against a malicious schema URL, e.g., `https://example.evil.org/schema.json`, they can insert their own schema into the cache and it will be picked up and used instead of the appropriate schema. Such a cache confusion attack could be used to allow data to pass validation which should have been rejected. This issue has been patched in version 0.30.0. All users are advised to upgrade. A few workarounds exist: 1. Users can use `--no-cache` to disable caching. 2. Users can use `--cache-filename` to select filenames for use in the cache, or to ensure that other usages do not overwrite the cached schema. (Note: this flag is being deprecated as part of the remediation effort.) 3. Users can explicitly download the schema before use as a local file, as in `curl -LOs https://example.org/schema.json; check-jsonschema --schemafile ./schema.json`\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-349\", \"description\": \"CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-11-29T18:39:11.195Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-53848\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-12-02T22:20:06.647Z\", \"dateReserved\": \"2024-11-22T17:30:02.140Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-11-29T18:39:11.195Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…