CVE-2024-53848 (GCVE-0-2024-53848)

Vulnerability from cvelistv5 – Published: 2024-11-29 18:39 – Updated: 2024-12-02 22:20
VLAI?
Title
check-jsonschema default caching for remote schemas allows for cache confusion
Summary
check-jsonschema is a CLI and set of pre-commit hooks for jsonschema validation. The default cache strategy uses the basename of a remote schema as the name of the file in the cache, e.g. `https://example.org/schema.json` will be stored as `schema.json`. This naming allows for conflicts. If an attacker can get a user to run `check-jsonschema` against a malicious schema URL, e.g., `https://example.evil.org/schema.json`, they can insert their own schema into the cache and it will be picked up and used instead of the appropriate schema. Such a cache confusion attack could be used to allow data to pass validation which should have been rejected. This issue has been patched in version 0.30.0. All users are advised to upgrade. A few workarounds exist: 1. Users can use `--no-cache` to disable caching. 2. Users can use `--cache-filename` to select filenames for use in the cache, or to ensure that other usages do not overwrite the cached schema. (Note: this flag is being deprecated as part of the remediation effort.) 3. Users can explicitly download the schema before use as a local file, as in `curl -LOs https://example.org/schema.json; check-jsonschema --schemafile ./schema.json`
Severity ?
7.1 (High)
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
CWE
  • CWE-349 - Acceptance of Extraneous Untrusted Data With Trusted Data
Assigner
References
Impacted products
Vendor Product Version
python-jsonschema check-jsonschema Affected: < 0.30.0
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-53848",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-02T22:19:56.819438Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-02T22:20:06.647Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "check-jsonschema",
          "vendor": "python-jsonschema",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.30.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "check-jsonschema is a CLI and set of pre-commit hooks for jsonschema validation. The default cache strategy uses the basename of a remote schema as the name of the file in the cache, e.g. `https://example.org/schema.json` will be stored as `schema.json`. This naming allows for conflicts. If an attacker can get a user to run `check-jsonschema` against a malicious schema URL, e.g., `https://example.evil.org/schema.json`, they can insert their own schema into the cache and it will be picked up and used instead of the appropriate schema. Such a cache confusion attack could be used to allow data to pass validation which should have been rejected. This issue has been patched in version 0.30.0. All users are advised to upgrade. A few workarounds exist: 1. Users can use `--no-cache` to disable caching. 2. Users can use `--cache-filename` to select filenames for use in the cache, or to ensure that other usages do not overwrite the cached schema. (Note: this flag is being deprecated as part of the remediation effort.) 3. Users can explicitly download the schema before use as a local file, as in `curl -LOs https://example.org/schema.json; check-jsonschema --schemafile ./schema.json`"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-349",
              "description": "CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-29T18:39:11.195Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/python-jsonschema/check-jsonschema/security/advisories/GHSA-q6mv-284r-mp36",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/python-jsonschema/check-jsonschema/security/advisories/GHSA-q6mv-284r-mp36"
        },
        {
          "name": "https://github.com/python-jsonschema/check-jsonschema/commit/c52714b85e6725b1b24516fbdedacb333b939152",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/python-jsonschema/check-jsonschema/commit/c52714b85e6725b1b24516fbdedacb333b939152"
        }
      ],
      "source": {
        "advisory": "GHSA-q6mv-284r-mp36",
        "discovery": "UNKNOWN"
      },
      "title": "check-jsonschema default caching for remote schemas allows for cache confusion"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-53848",
    "datePublished": "2024-11-29T18:39:11.195Z",
    "dateReserved": "2024-11-22T17:30:02.140Z",
    "dateUpdated": "2024-12-02T22:20:06.647Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"check-jsonschema is a CLI and set of pre-commit hooks for jsonschema validation. The default cache strategy uses the basename of a remote schema as the name of the file in the cache, e.g. `https://example.org/schema.json` will be stored as `schema.json`. This naming allows for conflicts. If an attacker can get a user to run `check-jsonschema` against a malicious schema URL, e.g., `https://example.evil.org/schema.json`, they can insert their own schema into the cache and it will be picked up and used instead of the appropriate schema. Such a cache confusion attack could be used to allow data to pass validation which should have been rejected. This issue has been patched in version 0.30.0. All users are advised to upgrade. A few workarounds exist: 1. Users can use `--no-cache` to disable caching. 2. Users can use `--cache-filename` to select filenames for use in the cache, or to ensure that other usages do not overwrite the cached schema. (Note: this flag is being deprecated as part of the remediation effort.) 3. Users can explicitly download the schema before use as a local file, as in `curl -LOs https://example.org/schema.json; check-jsonschema --schemafile ./schema.json`\"}, {\"lang\": \"es\", \"value\": \"check-jsonschema es una CLI y un conjunto de ganchos de pre-confirmaci\\u00f3n para la validaci\\u00f3n de jsonschema. La estrategia de cach\\u00e9 predeterminada utiliza el nombre base de un esquema remoto como el nombre del archivo en la cach\\u00e9, p. ej., `https://example.org/schema.json` se almacenar\\u00e1 como `schema.json`. Este nombre permite conflictos. Si un atacante puede lograr que un usuario ejecute `check-jsonschema` contra una URL de esquema malintencionada, p. ej., `https://example.evil.org/schema.json`, puede insertar su propio esquema en la cach\\u00e9 y se seleccionar\\u00e1 y usar\\u00e1 en lugar del esquema apropiado. Un ataque de confusi\\u00f3n de cach\\u00e9 de este tipo podr\\u00eda usarse para permitir que los datos pasen la validaci\\u00f3n que deber\\u00edan haber sido rechazados. Este problema se ha corregido en la versi\\u00f3n 0.30.0. Se recomienda a todos los usuarios que actualicen. Existen algunos workaround: 1. Los usuarios pueden usar `--no-cache` para deshabilitar el almacenamiento en cach\\u00e9. 2. Los usuarios pueden usar `--cache-filename` para seleccionar nombres de archivos para usar en la memoria cach\\u00e9 o para garantizar que otros usos no sobrescriban el esquema almacenado en cach\\u00e9. (Nota: esta opci\\u00f3n se est\\u00e1 descontinuando como parte del esfuerzo de remediaci\\u00f3n). 3. Los usuarios pueden descargar expl\\u00edcitamente el esquema antes de usarlo como un archivo local, como en `curl -LOs https://example.org/schema.json; check-jsonschema --schemafile ./schema.json`\"}]",
      "id": "CVE-2024-53848",
      "lastModified": "2024-11-29T19:15:09.290",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N\", \"baseScore\": 7.1, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.5, \"impactScore\": 4.0}]}",
      "published": "2024-11-29T19:15:09.290",
      "references": "[{\"url\": \"https://github.com/python-jsonschema/check-jsonschema/commit/c52714b85e6725b1b24516fbdedacb333b939152\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/python-jsonschema/check-jsonschema/security/advisories/GHSA-q6mv-284r-mp36\", \"source\": \"security-advisories@github.com\"}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-349\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-53848\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-11-29T19:15:09.290\",\"lastModified\":\"2024-11-29T19:15:09.290\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"check-jsonschema is a CLI and set of pre-commit hooks for jsonschema validation. The default cache strategy uses the basename of a remote schema as the name of the file in the cache, e.g. `https://example.org/schema.json` will be stored as `schema.json`. This naming allows for conflicts. If an attacker can get a user to run `check-jsonschema` against a malicious schema URL, e.g., `https://example.evil.org/schema.json`, they can insert their own schema into the cache and it will be picked up and used instead of the appropriate schema. Such a cache confusion attack could be used to allow data to pass validation which should have been rejected. This issue has been patched in version 0.30.0. All users are advised to upgrade. A few workarounds exist: 1. Users can use `--no-cache` to disable caching. 2. Users can use `--cache-filename` to select filenames for use in the cache, or to ensure that other usages do not overwrite the cached schema. (Note: this flag is being deprecated as part of the remediation effort.) 3. Users can explicitly download the schema before use as a local file, as in `curl -LOs https://example.org/schema.json; check-jsonschema --schemafile ./schema.json`\"},{\"lang\":\"es\",\"value\":\"check-jsonschema es una CLI y un conjunto de ganchos de pre-confirmaci\u00f3n para la validaci\u00f3n de jsonschema. La estrategia de cach\u00e9 predeterminada utiliza el nombre base de un esquema remoto como el nombre del archivo en la cach\u00e9, p. ej., `https://example.org/schema.json` se almacenar\u00e1 como `schema.json`. Este nombre permite conflictos. Si un atacante puede lograr que un usuario ejecute `check-jsonschema` contra una URL de esquema malintencionada, p. ej., `https://example.evil.org/schema.json`, puede insertar su propio esquema en la cach\u00e9 y se seleccionar\u00e1 y usar\u00e1 en lugar del esquema apropiado. Un ataque de confusi\u00f3n de cach\u00e9 de este tipo podr\u00eda usarse para permitir que los datos pasen la validaci\u00f3n que deber\u00edan haber sido rechazados. Este problema se ha corregido en la versi\u00f3n 0.30.0. Se recomienda a todos los usuarios que actualicen. Existen algunos workaround: 1. Los usuarios pueden usar `--no-cache` para deshabilitar el almacenamiento en cach\u00e9. 2. Los usuarios pueden usar `--cache-filename` para seleccionar nombres de archivos para usar en la memoria cach\u00e9 o para garantizar que otros usos no sobrescriban el esquema almacenado en cach\u00e9. (Nota: esta opci\u00f3n se est\u00e1 descontinuando como parte del esfuerzo de remediaci\u00f3n). 3. Los usuarios pueden descargar expl\u00edcitamente el esquema antes de usarlo como un archivo local, como en `curl -LOs https://example.org/schema.json; check-jsonschema --schemafile ./schema.json`\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.5,\"impactScore\":4.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-349\"}]}],\"references\":[{\"url\":\"https://github.com/python-jsonschema/check-jsonschema/commit/c52714b85e6725b1b24516fbdedacb333b939152\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/python-jsonschema/check-jsonschema/security/advisories/GHSA-q6mv-284r-mp36\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-53848\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-12-02T22:19:56.819438Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-12-02T22:20:02.556Z\"}}], \"cna\": {\"title\": \"check-jsonschema default caching for remote schemas allows for cache confusion\", \"source\": {\"advisory\": \"GHSA-q6mv-284r-mp36\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 7.1, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"python-jsonschema\", \"product\": \"check-jsonschema\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.30.0\"}]}], \"references\": [{\"url\": \"https://github.com/python-jsonschema/check-jsonschema/security/advisories/GHSA-q6mv-284r-mp36\", \"name\": \"https://github.com/python-jsonschema/check-jsonschema/security/advisories/GHSA-q6mv-284r-mp36\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/python-jsonschema/check-jsonschema/commit/c52714b85e6725b1b24516fbdedacb333b939152\", \"name\": \"https://github.com/python-jsonschema/check-jsonschema/commit/c52714b85e6725b1b24516fbdedacb333b939152\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"check-jsonschema is a CLI and set of pre-commit hooks for jsonschema validation. The default cache strategy uses the basename of a remote schema as the name of the file in the cache, e.g. `https://example.org/schema.json` will be stored as `schema.json`. This naming allows for conflicts. If an attacker can get a user to run `check-jsonschema` against a malicious schema URL, e.g., `https://example.evil.org/schema.json`, they can insert their own schema into the cache and it will be picked up and used instead of the appropriate schema. Such a cache confusion attack could be used to allow data to pass validation which should have been rejected. This issue has been patched in version 0.30.0. All users are advised to upgrade. A few workarounds exist: 1. Users can use `--no-cache` to disable caching. 2. Users can use `--cache-filename` to select filenames for use in the cache, or to ensure that other usages do not overwrite the cached schema. (Note: this flag is being deprecated as part of the remediation effort.) 3. Users can explicitly download the schema before use as a local file, as in `curl -LOs https://example.org/schema.json; check-jsonschema --schemafile ./schema.json`\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-349\", \"description\": \"CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-11-29T18:39:11.195Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-53848\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-12-02T22:20:06.647Z\", \"dateReserved\": \"2024-11-22T17:30:02.140Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-11-29T18:39:11.195Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.