CVE-2022-21653
Jawn is an open source JSON parser. Extenders of the `org.typelevel.jawn.SimpleFacade` and `org.typelevel.jawn.MutableFacade` who don't override `objectContext()` are vulnerable to a hash collision attack which may result in a denial of service. Most applications do not implement these traits directly, but inherit from a library. `jawn-parser-1.3.1` fixes this issue and users are advised to upgrade. For users unable to upgrade override `objectContext()` to use a collision-safe collection.
Published at
2022-01-05
11 days ago
Modified
2022-01-05
11 days ago
2022
Year
The year of the turtle
https://github.com/typelevel/jawn/security/advisories/GHSA-vc89-hccf-rq55
CONFIRM:https://github.com/typelevel/jawn/security/advisories/GHSA-vc89-hccf-rq55
https://github.com/typelevel/jawn/pull/390
MISC:https://github.com/typelevel/jawn/pull/390
Vulnerability RAW
{
"Title": {
"_text": "CVE-2022-21653"
},
"Notes": {
"Note": [
{
"_text": "Jawn is an open source JSON parser. Extenders of the `org.typelevel.jawn.SimpleFacade` and `org.typelevel.jawn.MutableFacade` who don't override `objectContext()` are vulnerable to a hash collision attack which may result in a denial of service. Most applications do not implement these traits directly, but inherit from a library. `jawn-parser-1.3.1` fixes this issue and users are advised to upgrade. For users unable to upgrade override `objectContext()` to use a collision-safe collection."
},
{
"_text": "2022-01-05"
},
{
"_text": "2022-01-05"
}
]
},
"CVE": {
"_text": "CVE-2022-21653"
},
"References": {
"Reference": [
{
"URL": {
"_text": "https://github.com/typelevel/jawn/security/advisories/GHSA-vc89-hccf-rq55"
},
"Description": {
"_text": "CONFIRM:https://github.com/typelevel/jawn/security/advisories/GHSA-vc89-hccf-rq55"
}
},
{
"URL": {
"_text": "https://github.com/typelevel/jawn/pull/390"
},
"Description": {
"_text": "MISC:https://github.com/typelevel/jawn/pull/390"
}
}
]
}
}