Vulnerability Description
Jawn is an open source JSON parser. Extenders of the `org.typelevel.jawn.SimpleFacade` and `org.typelevel.jawn.MutableFacade` who don't override `objectContext()` are vulnerable to a hash collision attack which may result in a denial of service. Most applications do not implement these traits directly, but inherit from a library. `jawn-parser-1.3.1` fixes this issue and users are advised to upgrade. For users unable to upgrade override `objectContext()` to use a collision-safe collection.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Typelevel | Jawn | < 1.3.2 |
Related Weaknesses (CWE)
References
- https://github.com/typelevel/jawn/pull/390ExploitIssue TrackingPatch
- https://github.com/typelevel/jawn/security/advisories/GHSA-vc89-hccf-rq55PatchThird Party Advisory
- https://github.com/typelevel/jawn/pull/390ExploitIssue TrackingPatch
- https://github.com/typelevel/jawn/security/advisories/GHSA-vc89-hccf-rq55PatchThird Party Advisory
FAQ
What is CVE-2022-21653?
CVE-2022-21653 is a vulnerability with a CVSS score of 5.9 (MEDIUM). Jawn is an open source JSON parser. Extenders of the `org.typelevel.jawn.SimpleFacade` and `org.typelevel.jawn.MutableFacade` who don't override `objectContext()` are vulnerable to a hash collision at...
How severe is CVE-2022-21653?
CVE-2022-21653 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-21653?
Check the references section above for vendor advisories and patch information. Affected products include: Typelevel Jawn.