CVE-2022-32511: 
Ruby vulnerability analysis and mitigation

CVE-2022-32511 affects jmespath.rb (JMESPath for Ruby) versions before 1.6.1. The vulnerability was discovered in June 2022 and involves the improper use of JSON.load instead of JSON.parse in the library. The vulnerability affects multiple systems including Fedora Linux distributions and other systems using the affected versions of the jmespath.rb library (NVD, CVE).

The vulnerability stems from the use of JSON.load in situations where JSON.parse would be more secure. JSON.load is considered unsafe when given untrusted input as it provides a way to instantiate arbitrary classes beyond the standard Hash, String, Array, and Number classes. The vulnerability has been assigned a CVSS v3.1 Base Score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability could allow an attacker to execute arbitrary code through maliciously crafted JSON input. Since JSON.load allows for instantiation of arbitrary classes, it could potentially lead to remote code execution if exploited. This is particularly dangerous when processing untrusted JSON data (Stack Overflow).

The vulnerability has been fixed in jmespath.rb version 1.6.1. Users should upgrade to this version or later to mitigate the vulnerability. The fix involves replacing the unsafe JSON.load with JSON.parse in the codebase (Github PR, Fedora Update).