Lookup for vulnerable packages by Package URL.
| Purl | pkg:maven/org.typelevel/jawn-parser_2.13.0-M5@None |
|---|
| Type | maven |
|---|
| Namespace | org.typelevel |
|---|
| Name | jawn-parser_2.13.0-M5 |
|---|
| Version | None |
|---|
| Qualifiers |
|
|---|
| Subpath | |
|---|
| Is_vulnerable | true |
|---|
| Next_non_vulnerable_version | null |
|---|
| Latest_non_vulnerable_version | null |
|---|
| Affected_by_vulnerabilities |
| 0 |
| url |
VCID-hh75-nhsu-pba8 |
| vulnerability_id |
VCID-hh75-nhsu-pba8 |
| summary |
Hash collision in typelevel jawn
Extenders of the `org.typelevel.jawn.SimpleFacade` and `org.typelevel.jawn.MutableFacade` who don't override `objectContext()` are vulnerable to a hash collision attack. Most applications do not implement these traits directly, but inherit from a library:
Affected implementations include:
* `org.http4s` :: `http4s-play-json`
* `org.typelevel :: jawn-ast` (< 0.8.0)
* `org.typelevel :: jawn-play` (discontinued)
* `org.typelevel :: jawn-rojoma` (discontinued)
* `org.typelevel :: jawn-spray` (discontinued)
Unaffected implementations include:
* `io.argonaut :: argonaut-jawn`
* `io.circe :: circe-parser`
* `org.typelevel :: jawn-ast` (>= 0.8.0)
* `org.typelevel :: jawn-json4s` (discontinued)
* `org.typelevel :: jawn-argonaut` (discontinued) |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2022-21653, GHSA-vc89-hccf-rq55
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-hh75-nhsu-pba8 |
|
|
|---|
| Fixing_vulnerabilities |
|
|---|
| Risk_score | null |
|---|
| Resource_url | http://public2.vulnerablecode.io/packages/pkg:maven/org.typelevel/jawn-parser_2.13.0-M5@None |
|---|