Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/41966?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/41966?format=api", "vulnerability_id": "VCID-hh75-nhsu-pba8", "summary": "Hash collision in typelevel jawn\nExtenders of the `org.typelevel.jawn.SimpleFacade` and `org.typelevel.jawn.MutableFacade` who don't override `objectContext()` are vulnerable to a hash collision attack. Most applications do not implement these traits directly, but inherit from a library:\n\nAffected implementations include:\n* `org.http4s` :: `http4s-play-json`\n* `org.typelevel :: jawn-ast` (< 0.8.0)\n* `org.typelevel :: jawn-play` (discontinued)\n* `org.typelevel :: jawn-rojoma` (discontinued)\n* `org.typelevel :: jawn-spray` (discontinued)\n\nUnaffected implementations include:\n* `io.argonaut :: argonaut-jawn`\n* `io.circe :: circe-parser`\n* `org.typelevel :: jawn-ast` (>= 0.8.0)\n* `org.typelevel :: jawn-json4s` (discontinued)\n* `org.typelevel :: jawn-argonaut` (discontinued)", "aliases": [ { "alias": "CVE-2022-21653" }, { "alias": "GHSA-vc89-hccf-rq55" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/60042?format=api", "purl": "pkg:maven/org.typelevel/jawn-parser@1.3.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.typelevel/jawn-parser@1.3.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/60018?format=api", "purl": "pkg:maven/org.typelevel/jawn-parser_2.12@1.3.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.typelevel/jawn-parser_2.12@1.3.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/60005?format=api", "purl": "pkg:maven/org.typelevel/jawn-parser_2.13@1.3.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.typelevel/jawn-parser_2.13@1.3.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/60029?format=api", "purl": "pkg:maven/org.typelevel/jawn-parser_3@1.3.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.typelevel/jawn-parser_3@1.3.2" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/60056?format=api", "purl": "pkg:maven/org.typelevel/jawn-parser_0.25@None", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-hh75-nhsu-pba8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.typelevel/jawn-parser_0.25@None" }, { "url": "http://public2.vulnerablecode.io/api/packages/60027?format=api", "purl": "pkg:maven/org.typelevel/jawn-parser_0.27@None", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-hh75-nhsu-pba8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.typelevel/jawn-parser_0.27@None" }, { "url": "http://public2.vulnerablecode.io/api/packages/60022?format=api", "purl": "pkg:maven/org.typelevel/jawn-parser_2.10@None", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-hh75-nhsu-pba8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.typelevel/jawn-parser_2.10@None" }, { "url": "http://public2.vulnerablecode.io/api/packages/59988?format=api", "purl": "pkg:maven/org.typelevel/jawn-parser_2.11@None", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-hh75-nhsu-pba8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.typelevel/jawn-parser_2.11@None" }, { "url": "http://public2.vulnerablecode.io/api/packages/59983?format=api", "purl": "pkg:maven/org.typelevel/jawn-parser_2.13.0-M5@None", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-hh75-nhsu-pba8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.typelevel/jawn-parser_2.13.0-M5@None" }, { "url": "http://public2.vulnerablecode.io/api/packages/60030?format=api", "purl": "pkg:maven/org.typelevel/jawn-parser_2.13.0-RC1@None", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-hh75-nhsu-pba8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.typelevel/jawn-parser_2.13.0-RC1@None" }, { "url": "http://public2.vulnerablecode.io/api/packages/59980?format=api", "purl": "pkg:maven/org.typelevel/jawn-parser_2.13.0-RC2@None", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-hh75-nhsu-pba8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.typelevel/jawn-parser_2.13.0-RC2@None" }, { "url": "http://public2.vulnerablecode.io/api/packages/60002?format=api", "purl": "pkg:maven/org.typelevel/jawn-parser_2.13.0-RC3@None", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-hh75-nhsu-pba8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.typelevel/jawn-parser_2.13.0-RC3@None" }, { "url": "http://public2.vulnerablecode.io/api/packages/59991?format=api", "purl": "pkg:maven/org.typelevel/jawn-parser_3.0.0-M1@None", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-hh75-nhsu-pba8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.typelevel/jawn-parser_3.0.0-M1@None" }, { "url": "http://public2.vulnerablecode.io/api/packages/60003?format=api", "purl": "pkg:maven/org.typelevel/jawn-parser_3.0.0-M2@None", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-hh75-nhsu-pba8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.typelevel/jawn-parser_3.0.0-M2@None" }, { "url": "http://public2.vulnerablecode.io/api/packages/60053?format=api", "purl": "pkg:maven/org.typelevel/jawn-parser_3.0.0-M3@None", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-hh75-nhsu-pba8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.typelevel/jawn-parser_3.0.0-M3@None" }, { "url": "http://public2.vulnerablecode.io/api/packages/60032?format=api", "purl": "pkg:maven/org.typelevel/jawn-parser_3.0.0-RC1@None", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-hh75-nhsu-pba8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.typelevel/jawn-parser_3.0.0-RC1@None" }, { "url": "http://public2.vulnerablecode.io/api/packages/59989?format=api", "purl": "pkg:maven/org.typelevel/jawn-parser_3.0.0-RC2@None", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-hh75-nhsu-pba8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.typelevel/jawn-parser_3.0.0-RC2@None" }, { "url": "http://public2.vulnerablecode.io/api/packages/59994?format=api", "purl": "pkg:maven/org.typelevel/jawn-parser_3.0.0-RC3@None", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-hh75-nhsu-pba8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.typelevel/jawn-parser_3.0.0-RC3@None" }, { "url": "http://public2.vulnerablecode.io/api/packages/60060?format=api", "purl": "pkg:maven/org.typelevel/jawn-parserg@None", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-hh75-nhsu-pba8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.typelevel/jawn-parserg@None" } ], "references": [ { "reference_url": "https://github.com/typelevel/jawn", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/typelevel/jawn" }, { "reference_url": "https://github.com/typelevel/jawn/pull/390", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/typelevel/jawn/pull/390" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21653", "reference_id": "CVE-2022-21653", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21653" }, { "reference_url": "https://github.com/advisories/GHSA-vc89-hccf-rq55", "reference_id": "GHSA-vc89-hccf-rq55", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-vc89-hccf-rq55" }, { "reference_url": "https://github.com/typelevel/jawn/security/advisories/GHSA-vc89-hccf-rq55", "reference_id": "GHSA-vc89-hccf-rq55", "reference_type": "", "scores": [], "url": "https://github.com/typelevel/jawn/security/advisories/GHSA-vc89-hccf-rq55" } ], "weaknesses": [ { "cwe_id": 326, "name": "Inadequate Encryption Strength", "description": "The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required." }, { "cwe_id": 400, "name": "Uncontrolled Resource Consumption", "description": "The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." }, { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." } ], "exploits": [], "severity_range_score": null, "exploitability": null, "weighted_severity": null, "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hh75-nhsu-pba8" }