CVE-2024-53848

CVSS 3.1 Score 7.1 of 10 (high)

Details

Published Nov 29, 2024
CWE ID 349

Summary

CVE-2024-53848 affects the check-jsonschema tool, which is used for jsonschema validation via CLI and pre-commit hooks. The default cache strategy of this tool uses the basename of remote schemas for caching, leading to potential naming conflicts. An attacker who manages to convince a user to validate a malicious schema URL can insert their own schema into the cache, allowing data to pass validation and potentially leading to security vulnerabilities. This issue has been addressed in version 0.30.0 and users are advised to upgrade. Alternative measures to mitigate the risk include disabling caching, selecting custom filenames for the cache, or downloading the schema as a local file before validation. The use of --cache-filename flag is being deprecated in the remediation effort.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share