Extenders of the org.typelevel.jawn.SimpleFacade and org.typelevel.jawn.MutableFacade who don't override objectContext() are vulnerable to a hash collision attack. Most applications do not implement these traits directly, but inherit from a library:
Affected implementations include:
* org.http4s :: http4s-play-json
* org.typelevel :: jawn-ast (< 0.8.0)
* org.typelevel :: jawn-play (discontinued)
* org.typelevel :: jawn-rojoma (discontinued)
* org.typelevel :: jawn-spray (discontinued)
Unaffected implementations include:
* io.argonaut :: argonaut-jawn
* io.circe :: circe-parser
* org.typelevel :: jawn-ast (>= 0.8.0)
* org.typelevel :: jawn-json4s (discontinued)
* org.typelevel :: jawn-argonaut (discontinued)
jawn-parser-1.3.2 fixes the issue.
Override objectContext() to use a collision-safe collection. See the patch for an example in both SimpleFacade and MutableFacade.
If you have any questions or comments about this advisory:
* Open an issue in typelevel/jawn
* E-mail a maintainer:
* @rossabaker
| Score | Percentile |
|---|---|
| 0.14% | 34.48% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 5.9 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-vc89-hccf-rq55 ↗ |
| CVE | CVE-2022-21653 ↗ |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| maven | org.typelevel:jawn-parser_0.25 | < 1.3.2 | — | — |
| maven | org.typelevel:jawn-parserg | < 1.3.2 | — | — |
| maven | org.typelevel:jawn-parser_0.27 | < 1.3.2 | — | — |
| maven | org.typelevel:jawn-parser_2.10 | < 1.3.2 | — | — |
| maven | org.typelevel:jawn-parser_2.11 | < 1.3.2 | — | — |
| maven | org.typelevel:jawn-parser_2.12 | < 1.3.2 | 1.3.2 | — |
| maven | org.typelevel:jawn-parser_2.13 | < 1.3.2 | 1.3.2 | — |
| maven | org.typelevel:jawn-parser_2.13.0-M5 | < 1.3.2 | — | — |
| maven | org.typelevel:jawn-parser_2.13.0-RC1 | < 1.3.2 | — | — |
| maven | org.typelevel:jawn-parser_2.13.0-RC2 | < 1.3.2 | — | — |
| maven | org.typelevel:jawn-parser_2.13.0-RC3 | < 1.3.2 | — | — |
| maven | org.typelevel:jawn-parser_3 | < 1.3.2 | 1.3.2 | — |
| maven | org.typelevel:jawn-parser_3.0.0-M1 | < 1.3.2 | — | — |
| maven | org.typelevel:jawn-parser_3.0.0-M2 | < 1.3.2 | — | — |
| maven | org.typelevel:jawn-parser_3.0.0-M3 | < 1.3.2 | — | — |
| maven | org.typelevel:jawn-parser_3.0.0-RC1 | < 1.3.2 | — | — |
| maven | org.typelevel:jawn-parser_3.0.0-RC2 | < 1.3.2 | — | — |
| maven | org.typelevel:jawn-parser_3.0.0-RC3 | < 1.3.2 | — | — |