CVE-2022-32511
Deserialization of Untrusted Data vulnerability in jmespath (RubyGems)
What is CVE-2022-32511 About?
jmespath.rb versions before 1.6.1 are vulnerable to security issues related to using `JSON.load` instead of `JSON.parse`. This can lead to arbitrary code execution if the application deserializes untrusted input, allowing attackers to execute commands on the server. Exploitation can be easy if malicious input can reach the `JSON.load` function.
Affected Software
Technical Details
The vulnerability in jmespath.rb (aka JMESPath for Ruby) before version 1.6.1 stems from the use of JSON.load instead of the more secure JSON.parse method when processing JSON data. In Ruby, JSON.load deserializes not only standard JSON types but also allows for arbitrary Ruby objects to be instantiated if the input JSON string includes class information (e.g., via the JSON.dump(object, quirks_mode: true) output of Ruby objects). If an attacker can supply malicious JSON input to a function that subsequently uses JSON.load, they can inject arbitrary Ruby objects into the application's memory. This can lead to arbitrary code execution, as constructors or other methods of these deserialized objects might be triggered with attacker-controlled data.
What is the Impact of CVE-2022-32511?
Successful exploitation may allow attackers to inject arbitrary code, leading to remote code execution and full compromise of the affected system.
What is the Exploitability of CVE-2022-32511?
Exploitation requires the application to deserialize untrusted JSON input using JSON.load from jmespath.rb. The complexity is low if the application directly processes external, untrusted input. No specific authentication may be required if the input vector is accessible without it. This can be a remote exploit, typically via HTTP requests containing malicious JSON payloads. The primary risk factor is applications that accept JSON input from users and then use the vulnerable JSON.load method without prior sanitization or validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-32511?
Available Upgrade Options
- jmespath
- <1.6.1 → Upgrade to 1.6.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/jmespath/jmespath.rb/pull/55
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jmespath/CVE-2022-32511.yml
- https://github.com/jmespath/jmespath.rb/compare/v1.6.0...v1.6.1
- https://stackoverflow.com/a/30050571/580231
- https://nvd.nist.gov/vuln/detail/CVE-2022-32511
- https://github.com/jmespath/jmespath.rb/pull/55
- https://stackoverflow.com/a/30050571/580231
- https://github.com/jmespath/jmespath.rb/compare/v1.6.0...v1.6.1
- https://osv.dev/vulnerability/GHSA-5c5f-7vfq-3732
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AGZ2YWONVFFOPACHAT4MM7ZBT4DNHOF5
What are Similar Vulnerabilities to CVE-2022-32511?
Similar Vulnerabilities: CVE-2022-24765 , CVE-2020-8199 , CVE-2020-8176 , CVE-2019-16782 , CVE-2019-10758
