CVE-2024-53848 Information
Description
check-jsonschema is a CLI and set of pre-commit hooks for jsonschema validation. The default cache strategy uses the basename of a remote schema as the name of the file in the cache e.g. https://example.org/schema.json will be stored as schema.json. This naming allows for conflicts. If an attacker can get a user to run check-jsonschema against a malicious schema URL e.g. https://example.evil.org/schema.json they can insert their own schema into the cache and it will be picked up and used instead of the appropriate schema. Such a cache confusion attack could be used to allow data to pass validation which should have been rejected. This issue has been patched in version 0.30.0. All users are advised to upgrade. A few workarounds exist: 1. Users can use --no-cache to disable caching. 2. Users can use --cache-filename to select filenames for use in the cache or to ensure that other usages do not overwrite the cached schema. (Note: this flag is being deprecated as part of the remediation effort.) 3. Users can explicitly download the schema before use as a local file as in curl -LOs https://example.org/schema.json; check-jsonschema --schemafile ./schema.json
Reference
https://github.com/python-jsonschema/check-jsonschema/commit/c52714b85e6725b1b24516fbdedacb333b939152
https://github.com/python-jsonschema/check-jsonschema/security/advisories/GHSA-q6mv-284r-mp36
check-jsonschema
is
a
CLI
and
set
of
pre-commit
hooks
for
jsonschema
validation.
The
default
cache
strategy
uses
the
basename
of
a
remote
schema
as
the
name
of
the
file
in
the
cache
e.g.
[***https://example.org/schema.json](https://example.org/schema.json`)
will
be
stored
as
schema.json.
This
naming
allows
for
conflicts.
If
an
attacker
can
get
a
user
to
run
check-jsonschema
against
a
malicious
schema
URL
e.g.
[***https://example.evil.org/schema.json](https://example.evil.org/schema.json`)
they
can
insert
their
own
schema
into
the
cache
and
it
will
be
picked
up
and
used
instead
of
the
appropriate
schema.
Such
a
cache
confusion
attack
could
be
used
to
allow
data
to
pass
validation
which
should
have
been
rejected.
This
issue
has
been
patched
in
version
0.30.0.
All
users
are
advised
to
upgrade.
A
few
workarounds
exist:
1.
Users
can
use
--no-cache
to
disable
caching.
2.
Users
can
use
--cache-filename
to
select
filenames
for
use
in
the
cache
or
to
ensure
that
other
usages
do
not
overwrite
the
cached
schema.
(Note:
this
flag
is
being
deprecated
as
part
of
the
remediation
effort.)
3.
Users
can
explicitly
download
the
schema
before
use
as
a
local
file
as
in
curl -LOs [***https://example.org/schema.json;***](https://example.org/schema.json;) check-jsonschema --schemafile ./schema.json