Jawn is an open source JSON parser. Extenders of the `org.typelevel.jawn.SimpleFacade` and `org.typelevel.jawn.MutableFacade` who don't override `objectContext()` are vulnerable to a hash collision attack which may result in a denial of service. Most applications do not implement these traits directly, but inherit from a library. `jawn-parser-1.3.1` fixes this issue and users are advised to upgrade. For users unable to upgrade override `objectContext()` to use a collision-safe collection.
References
Link | Resource |
---|---|
https://github.com/typelevel/jawn/pull/390 | Exploit Issue Tracking Patch Third Party Advisory |
https://github.com/typelevel/jawn/security/advisories/GHSA-vc89-hccf-rq55 | Patch Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2022-01-05T21:00:12
Updated: 2022-01-05T21:00:12
Reserved: 2021-11-16T00:00:00
Link: CVE-2022-21653
JSON object: View
NVD Information
Status : Analyzed
Published: 2022-01-05T21:15:07.890
Modified: 2022-01-12T18:54:46.157
Link: CVE-2022-21653
JSON object: View
Redhat Information
No data.