PT-2022-15008 · Typelevel+1 · Jawn-Parser+2

Kag0

Published

2022-01-05

Updated

2022-02-20

CVE-2022-21653

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions jawn-parser versions prior to 1.3.1 org.typelevel :: jawn-ast versions prior to 0.8.0

Description Jawn is an open source JSON parser. Extenders of the org.typelevel.jawn.SimpleFacade and org.typelevel.jawn.MutableFacade who don't override objectContext() are vulnerable to a hash collision attack which may result in a denial of service. Most applications do not implement these traits directly, but inherit from a library.

Recommendations For versions prior to 1.3.1, upgrade to jawn-parser-1.3.1 or later. For users unable to upgrade, override objectContext() to use a collision-safe collection. As a temporary workaround, consider overriding objectContext() in org.typelevel.jawn.SimpleFacade and org.typelevel.jawn.MutableFacade to minimize the risk of exploitation.

Exploit

Fix

DoS

Resource Exhaustion

Inadequate Encryption Strength

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400CWE-326

Related Identifiers

CVE-2022-21653

GHSA-VC89-HCCF-RQ55

OPENSUSE-SU-2022:0011-1

OPENSUSE-SU-2022:0045-1

OPENSUSE-SU-2022:0106-1

OPENSUSE-SU-2022_0106-1

OPENSUSE-SU-2024:11718-1

Affected Products

Suse

Jawn-Ast

Jawn-Parser

PT-2022-15008 · Typelevel+1 · Jawn-Parser+2

CVE-2022-21653

Weakness Enumeration

Related Identifiers

Affected Products

References · 19