AIKIDO-2024-10500
check-jsonschema is vulnerable to Acceptance of Extraneous Untrusted Data With Trusted Data
71
High Risk
This Affects:
check-jsonschemaTL;DR
Affected versions of check-jsonschema are vulnerable to a cache confusion attack due to the default cache strategy, which stores remote schemas using their basename (e.g., https://example.org/schema.json as schema.json). This can lead to conflicts if an attacker tricks a user into validating against a malicious schema with the same name (e.g., https://example.evil.org/schema.json). As a result, the attacker’s schema may be used instead, allowing invalid data to pass validation. This issue is patched in version 0.30.0. You should update to the latest version or apply workarounds such as disabling caching with --no-cache, specifying cache filenames with --cache-filename (deprecated), or downloading schemas locally before validation.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
check-jsonschema is vulnerable to Acceptance of Extraneous Untrusted Data With Trusted Data in versions 0.1.0 - 0.29.4.
How to fix this
Upgrade the check-jsonschema library to the patch version.
Links
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant