Headline
GHSA-q6mv-284r-mp36: check-jsonschema default caching for remote schemas allows for cache confusion
Impact
The default cache strategy uses the basename of a remote schema as the name of the file in the cache, e.g. https://example.org/schema.json will be stored as schema.json. This naming allows for conflicts. If an attacker can get a user to run check-jsonschema against a malicious schema URL, e.g., https://example.evil.org/schema.json, they can insert their own schema into the cache and it will be picked up and used instead of the appropriate schema.
Such a cache confusion attack could be used to allow data to pass validation which should have been rejected.
Patches
A patch is in progress but has not yet been released.
Workarounds
- Users can use
--no-cacheto disable caching. - Users can use
--cache-filenameto select filenames for use in the cache, or to ensure that other usages do not overwrite the cached schema. (Note: this flag is being deprecated as part of the remediation effort.) - Users can explicitly download the schema before use as a local file, as in
curl -LOs https://example.org/schema.json; check-jsonschema --schemafile ./schema.json
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-53848
check-jsonschema default caching for remote schemas allows for cache confusion
Package
pip check-jsonschema (pip)
Affected versions
< 0.30.0
Impact
The default cache strategy uses the basename of a remote schema as the name of the file in the cache, e.g. https://example.org/schema.json will be stored as schema.json. This naming allows for conflicts. If an attacker can get a user to run check-jsonschema against a malicious schema URL, e.g., https://example.evil.org/schema.json, they can insert their own schema into the cache and it will be picked up and used instead of the appropriate schema.
Such a cache confusion attack could be used to allow data to pass validation which should have been rejected.
Patches
A patch is in progress but has not yet been released.
Workarounds
- Users can use --no-cache to disable caching.
- Users can use --cache-filename to select filenames for use in the cache, or to ensure that other usages do not overwrite the cached schema. (Note: this flag is being deprecated as part of the remediation effort.)
- Users can explicitly download the schema before use as a local file, as in curl -LOs https://example.org/schema.json; check-jsonschema --schemafile ./schema.json
References
- GHSA-q6mv-284r-mp36
- https://nvd.nist.gov/vuln/detail/CVE-2024-53848
- python-jsonschema/check-jsonschema@c52714b
Published to the GitHub Advisory Database
Dec 2, 2024