#VU64034 Code Injection in JSON schema


Published: 2022-06-07 | Updated: 2022-07-15

Vulnerability identifier: #VU64034

Vulnerability risk: High

CVSSv3.1:

CVE-ID: CVE-2021-3918

CWE-ID:

Exploitation vector: Network

Exploit availability:

Vulnerable software:
JSON schema
Web applications / JS libraries

Vendor: Tom de Grunt

Description

The disclosed vulnerability allows a remote attacker to execute arbitrary code on the system.

The vulnerability exists due to insufficient sanitization of user-supplied data during the validation of a JSON object. A remote attacker can pass a specially crafted JSON file for validation and execute arbitrary code.

Mitigation
Install update from vendor's website.

Vulnerable software versions

JSON schema: 0.0.0 - 0.3.2

Fixed software versions

CPE

External links
http://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741
http://huntr.dev/bounties/bb6ccd63-f505-4e3a-b55f-cd2662c261a9

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM QRadar User Behavior Analytics
Multiple vulnerabilities in Dell Cloud Tiering Appliance
SUSE update for SUSE Manager Client Tools
SUSE update for SUSE Manager Client Tools
SUSE update for SUSE Manager Client Tools
Code Injection in IBM Edge Application Manager
Ubuntu update for node-json-schema
Multiple vulnerabilities in Dell RecoverPoint Classic
Multiple vulnerabilities in IBM Cloud Transformation Advisor
Code Injection in IBM Process Mining