cvelistv5 - cve-2022-21653

CVE-2022-21653 (GCVE-0-2022-21653)

Vulnerability from cvelistv5 – Published: 2022-01-05 21:00 – Updated: 2025-04-22 18:34

Summary

Jawn is an open source JSON parser. Extenders of the `org.typelevel.jawn.SimpleFacade` and `org.typelevel.jawn.MutableFacade` who don't override `objectContext()` are vulnerable to a hash collision attack which may result in a denial of service. Most applications do not implement these traits directly, but inherit from a library. `jawn-parser-1.3.1` fixes this issue and users are advised to upgrade. For users unable to upgrade override `objectContext()` to use a collision-safe collection.

Severity ?

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

GitHub_M

References

URL

Tags

	https://github.com/typelevel/jawn/security/adviso…	x_refsource_CONFIRM
	https://github.com/typelevel/jawn/pull/390	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	typelevel	jawn	Affected: < 1.3.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T02:46:39.225Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/typelevel/jawn/security/advisories/GHSA-vc89-hccf-rq55"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/typelevel/jawn/pull/390"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-21653",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-22T15:52:18.494433Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-22T18:34:05.348Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "jawn",
          "vendor": "typelevel",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.3.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Jawn is an open source JSON parser. Extenders of the `org.typelevel.jawn.SimpleFacade` and `org.typelevel.jawn.MutableFacade` who don\u0027t override `objectContext()` are vulnerable to a hash collision attack which may result in a denial of service. Most applications do not implement these traits directly, but inherit from a library. `jawn-parser-1.3.1` fixes this issue and users are advised to upgrade. For users unable to upgrade override `objectContext()` to use a collision-safe collection."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-01-05T21:00:12.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/typelevel/jawn/security/advisories/GHSA-vc89-hccf-rq55"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/typelevel/jawn/pull/390"
        }
      ],
      "source": {
        "advisory": "GHSA-vc89-hccf-rq55",
        "discovery": "UNKNOWN"
      },
      "title": "Hash collision in typelevel jawn",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-21653",
          "STATE": "PUBLIC",
          "TITLE": "Hash collision in typelevel jawn"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "jawn",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 1.3.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "typelevel"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Jawn is an open source JSON parser. Extenders of the `org.typelevel.jawn.SimpleFacade` and `org.typelevel.jawn.MutableFacade` who don\u0027t override `objectContext()` are vulnerable to a hash collision attack which may result in a denial of service. Most applications do not implement these traits directly, but inherit from a library. `jawn-parser-1.3.1` fixes this issue and users are advised to upgrade. For users unable to upgrade override `objectContext()` to use a collision-safe collection."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-400: Uncontrolled Resource Consumption"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/typelevel/jawn/security/advisories/GHSA-vc89-hccf-rq55",
              "refsource": "CONFIRM",
              "url": "https://github.com/typelevel/jawn/security/advisories/GHSA-vc89-hccf-rq55"
            },
            {
              "name": "https://github.com/typelevel/jawn/pull/390",
              "refsource": "MISC",
              "url": "https://github.com/typelevel/jawn/pull/390"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-vc89-hccf-rq55",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-21653",
    "datePublished": "2022-01-05T21:00:12.000Z",
    "dateReserved": "2021-11-16T00:00:00.000Z",
    "dateUpdated": "2025-04-22T18:34:05.348Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:typelevel:jawn:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"1.3.2\", \"matchCriteriaId\": \"19E5C6E5-A1A0-48F3-B773-32DF7F4C55E2\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Jawn is an open source JSON parser. Extenders of the `org.typelevel.jawn.SimpleFacade` and `org.typelevel.jawn.MutableFacade` who don\u0027t override `objectContext()` are vulnerable to a hash collision attack which may result in a denial of service. Most applications do not implement these traits directly, but inherit from a library. `jawn-parser-1.3.1` fixes this issue and users are advised to upgrade. For users unable to upgrade override `objectContext()` to use a collision-safe collection.\"}, {\"lang\": \"es\", \"value\": \"Jawn es un analizador JSON de c\\u00f3digo abierto. Los extensores de \\\"org.typelevel.jawn.SimpleFacade\\\" y \\\"org.typelevel.jawn.MutableFacade\\\" que no anulen \\\"objectContext()\\\" son vulnerables a un ataque de colisi\\u00f3n de hash que puede resultar en una denegaci\\u00f3n de servicio. La mayor\\u00eda de las aplicaciones no implementan estos rasgos directamente, sino que heredan de una biblioteca. La versi\\u00f3n \\\"jawn-parser-1.3.1\\\" corrige este problema y se recomienda a usuarios que actualicen. Para los usuarios que no puedan actualizar, anule \\\"objectContext()\\\" para usar una colecci\\u00f3n a prueba de colisiones.\"}]",
      "id": "CVE-2022-21653",
      "lastModified": "2024-11-21T06:45:09.703",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 5.9, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.2, \"impactScore\": 3.6}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\", \"baseScore\": 5.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2022-01-05T21:15:07.890",
      "references": "[{\"url\": \"https://github.com/typelevel/jawn/pull/390\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Issue Tracking\", \"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/typelevel/jawn/security/advisories/GHSA-vc89-hccf-rq55\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/typelevel/jawn/pull/390\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Issue Tracking\", \"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/typelevel/jawn/security/advisories/GHSA-vc89-hccf-rq55\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-400\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-326\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-21653\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-01-05T21:15:07.890\",\"lastModified\":\"2024-11-21T06:45:09.703\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Jawn is an open source JSON parser. Extenders of the `org.typelevel.jawn.SimpleFacade` and `org.typelevel.jawn.MutableFacade` who don\u0027t override `objectContext()` are vulnerable to a hash collision attack which may result in a denial of service. Most applications do not implement these traits directly, but inherit from a library. `jawn-parser-1.3.1` fixes this issue and users are advised to upgrade. For users unable to upgrade override `objectContext()` to use a collision-safe collection.\"},{\"lang\":\"es\",\"value\":\"Jawn es un analizador JSON de c\u00f3digo abierto. Los extensores de \\\"org.typelevel.jawn.SimpleFacade\\\" y \\\"org.typelevel.jawn.MutableFacade\\\" que no anulen \\\"objectContext()\\\" son vulnerables a un ataque de colisi\u00f3n de hash que puede resultar en una denegaci\u00f3n de servicio. La mayor\u00eda de las aplicaciones no implementan estos rasgos directamente, sino que heredan de una biblioteca. La versi\u00f3n \\\"jawn-parser-1.3.1\\\" corrige este problema y se recomienda a usuarios que actualicen. Para los usuarios que no puedan actualizar, anule \\\"objectContext()\\\" para usar una colecci\u00f3n a prueba de colisiones.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:N/A:P\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-326\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:jawn:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.3.2\",\"matchCriteriaId\":\"19E5C6E5-A1A0-48F3-B773-32DF7F4C55E2\"}]}]}],\"references\":[{\"url\":\"https://github.com/typelevel/jawn/pull/390\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/typelevel/jawn/security/advisories/GHSA-vc89-hccf-rq55\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/typelevel/jawn/pull/390\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/typelevel/jawn/security/advisories/GHSA-vc89-hccf-rq55\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"affected\": [{\"product\": \"jawn\", \"vendor\": \"typelevel\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.3.2\"}]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Jawn is an open source JSON parser. Extenders of the `org.typelevel.jawn.SimpleFacade` and `org.typelevel.jawn.MutableFacade` who don\u0027t override `objectContext()` are vulnerable to a hash collision attack which may result in a denial of service. Most applications do not implement these traits directly, but inherit from a library. `jawn-parser-1.3.1` fixes this issue and users are advised to upgrade. For users unable to upgrade override `objectContext()` to use a collision-safe collection.\"}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"HIGH\", \"baseScore\": 5.9, \"baseSeverity\": \"MEDIUM\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"version\": \"3.1\"}}], \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-400\", \"description\": \"CWE-400: Uncontrolled Resource Consumption\", \"lang\": \"en\", \"type\": \"CWE\"}]}], \"providerMetadata\": {\"dateUpdated\": \"2022-01-05T21:00:12.000Z\", \"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\"}, \"references\": [{\"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/typelevel/jawn/security/advisories/GHSA-vc89-hccf-rq55\"}, {\"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/typelevel/jawn/pull/390\"}], \"source\": {\"advisory\": \"GHSA-vc89-hccf-rq55\", \"discovery\": \"UNKNOWN\"}, \"title\": \"Hash collision in typelevel jawn\", \"x_legacyV4Record\": {\"CVE_data_meta\": {\"ASSIGNER\": \"security-advisories@github.com\", \"ID\": \"CVE-2022-21653\", \"STATE\": \"PUBLIC\", \"TITLE\": \"Hash collision in typelevel jawn\"}, \"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"product_name\": \"jawn\", \"version\": {\"version_data\": [{\"version_value\": \"\u003c 1.3.2\"}]}}]}, \"vendor_name\": \"typelevel\"}]}}, \"data_format\": \"MITRE\", \"data_type\": \"CVE\", \"data_version\": \"4.0\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"Jawn is an open source JSON parser. Extenders of the `org.typelevel.jawn.SimpleFacade` and `org.typelevel.jawn.MutableFacade` who don\u0027t override `objectContext()` are vulnerable to a hash collision attack which may result in a denial of service. Most applications do not implement these traits directly, but inherit from a library. `jawn-parser-1.3.1` fixes this issue and users are advised to upgrade. For users unable to upgrade override `objectContext()` to use a collision-safe collection.\"}]}, \"impact\": {\"cvss\": {\"attackComplexity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"HIGH\", \"baseScore\": 5.9, \"baseSeverity\": \"MEDIUM\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"version\": \"3.1\"}}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"CWE-400: Uncontrolled Resource Consumption\"}]}]}, \"references\": {\"reference_data\": [{\"name\": \"https://github.com/typelevel/jawn/security/advisories/GHSA-vc89-hccf-rq55\", \"refsource\": \"CONFIRM\", \"url\": \"https://github.com/typelevel/jawn/security/advisories/GHSA-vc89-hccf-rq55\"}, {\"name\": \"https://github.com/typelevel/jawn/pull/390\", \"refsource\": \"MISC\", \"url\": \"https://github.com/typelevel/jawn/pull/390\"}]}, \"source\": {\"advisory\": \"GHSA-vc89-hccf-rq55\", \"discovery\": \"UNKNOWN\"}}}, \"adp\": [{\"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T02:46:39.225Z\"}, \"title\": \"CVE Program Container\", \"references\": [{\"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"], \"url\": \"https://github.com/typelevel/jawn/security/advisories/GHSA-vc89-hccf-rq55\"}, {\"tags\": [\"x_refsource_MISC\", \"x_transferred\"], \"url\": \"https://github.com/typelevel/jawn/pull/390\"}]}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-21653\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-22T15:52:18.494433Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-22T15:52:21.309Z\"}}]}",
      "cveMetadata": "{\"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"assignerShortName\": \"GitHub_M\", \"cveId\": \"CVE-2022-21653\", \"datePublished\": \"2022-01-05T21:00:12.000Z\", \"dateReserved\": \"2021-11-16T00:00:00.000Z\", \"dateUpdated\": \"2025-04-22T18:34:05.348Z\", \"state\": \"PUBLISHED\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2022-21653

Vulnerability from fkie_nvd - Published: 2022-01-05 21:15 - Updated: 2024-11-21 06:45

Severity ?

5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/typelevel/jawn/pull/390	Exploit, Issue Tracking, Patch, Third Party Advisory
security-advisories@github.com	https://github.com/typelevel/jawn/security/advisories/GHSA-vc89-hccf-rq55	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/typelevel/jawn/pull/390	Exploit, Issue Tracking, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/typelevel/jawn/security/advisories/GHSA-vc89-hccf-rq55	Patch, Third Party Advisory

Impacted products

	Vendor	Product	Version
	typelevel	jawn	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:typelevel:jawn:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "19E5C6E5-A1A0-48F3-B773-32DF7F4C55E2",
              "versionEndExcluding": "1.3.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Jawn is an open source JSON parser. Extenders of the `org.typelevel.jawn.SimpleFacade` and `org.typelevel.jawn.MutableFacade` who don\u0027t override `objectContext()` are vulnerable to a hash collision attack which may result in a denial of service. Most applications do not implement these traits directly, but inherit from a library. `jawn-parser-1.3.1` fixes this issue and users are advised to upgrade. For users unable to upgrade override `objectContext()` to use a collision-safe collection."
    },
    {
      "lang": "es",
      "value": "Jawn es un analizador JSON de c\u00f3digo abierto. Los extensores de \"org.typelevel.jawn.SimpleFacade\" y \"org.typelevel.jawn.MutableFacade\" que no anulen \"objectContext()\" son vulnerables a un ataque de colisi\u00f3n de hash que puede resultar en una denegaci\u00f3n de servicio. La mayor\u00eda de las aplicaciones no implementan estos rasgos directamente, sino que heredan de una biblioteca. La versi\u00f3n \"jawn-parser-1.3.1\" corrige este problema y se recomienda a usuarios que actualicen. Para los usuarios que no puedan actualizar, anule \"objectContext()\" para usar una colecci\u00f3n a prueba de colisiones."
    }
  ],
  "id": "CVE-2022-21653",
  "lastModified": "2024-11-21T06:45:09.703",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 5.0,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 5.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-01-05T21:15:07.890",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Issue Tracking",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/typelevel/jawn/pull/390"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/typelevel/jawn/security/advisories/GHSA-vc89-hccf-rq55"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Issue Tracking",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/typelevel/jawn/pull/390"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/typelevel/jawn/security/advisories/GHSA-vc89-hccf-rq55"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-400"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-326"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-VC89-HCCF-RQ55

Vulnerability from github – Published: 2022-01-06 23:48 – Updated: 2022-01-06 20:19

Summary

Hash collision in typelevel jawn

Details

Impact

Extenders of the org.typelevel.jawn.SimpleFacade and org.typelevel.jawn.MutableFacade who don't override objectContext() are vulnerable to a hash collision attack. Most applications do not implement these traits directly, but inherit from a library:

Affected implementations include: * org.http4s :: http4s-play-json * org.typelevel :: jawn-ast (< 0.8.0) * org.typelevel :: jawn-play (discontinued) * org.typelevel :: jawn-rojoma (discontinued) * org.typelevel :: jawn-spray (discontinued)

Unaffected implementations include: * io.argonaut :: argonaut-jawn * io.circe :: circe-parser * org.typelevel :: jawn-ast (>= 0.8.0) * org.typelevel :: jawn-json4s (discontinued) * org.typelevel :: jawn-argonaut (discontinued)

Patches

jawn-parser-1.3.2 fixes the issue.

Workarounds

Override objectContext() to use a collision-safe collection. See the patch for an example in both SimpleFacade and MutableFacade.

References

https://github.com/typelevel/jawn/pull/390

Credits

@kag0, for the report and the patch

For more information

If you have any questions or comments about this advisory: * Open an issue in typelevel/jawn * E-mail a maintainer: * @rossabaker

Severity ?

5.9 (Medium)


                  
                    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.typelevel:jawn-parser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-21653"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-06T20:19:30Z",
    "nvd_published_at": "2022-01-05T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nExtenders of the `org.typelevel.jawn.SimpleFacade` and `org.typelevel.jawn.MutableFacade` who don\u0027t override `objectContext()` are vulnerable to a hash collision attack.  Most applications do not implement these traits directly, but inherit from a library:\n\nAffected implementations include:\n* `org.http4s` :: `http4s-play-json`\n* `org.typelevel :: jawn-ast` (\u003c 0.8.0)\n* `org.typelevel :: jawn-play` (discontinued)\n* `org.typelevel :: jawn-rojoma` (discontinued)\n* `org.typelevel :: jawn-spray` (discontinued)\n\nUnaffected implementations include:\n* `io.argonaut :: argonaut-jawn`\n* `io.circe :: circe-parser`\n* `org.typelevel :: jawn-ast` (\u003e= 0.8.0)\n* `org.typelevel :: jawn-json4s` (discontinued)\n* `org.typelevel :: jawn-argonaut` (discontinued)\n\n### Patches\n\n`jawn-parser-1.3.2` fixes the issue.\n\n### Workarounds\n\nOverride `objectContext()` to use a collision-safe collection.  See [the patch](https://github.com/typelevel/jawn/pull/390/files) for an example in both `SimpleFacade` and `MutableFacade`.\n\n### References\n\n* https://github.com/typelevel/jawn/pull/390\n\n### Credits\n\n* @kag0, for the report and the patch\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [typelevel/jawn](https://github.com/typelevel/jawn)\n* E-mail a maintainer:\n  * [@rossabaker](mailto:ross@rossabaker.com)\n",
  "id": "GHSA-vc89-hccf-rq55",
  "modified": "2022-01-06T20:19:30Z",
  "published": "2022-01-06T23:48:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/typelevel/jawn/security/advisories/GHSA-vc89-hccf-rq55"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21653"
    },
    {
      "type": "WEB",
      "url": "https://github.com/typelevel/jawn/pull/390"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/typelevel/jawn"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Hash collision in typelevel jawn"
}

OPENSUSE-SU-2022:0011-1

Vulnerability from csaf_opensuse - Published: 2022-01-11 13:01 - Updated: 2022-01-11 13:01

Summary

Security update for jawn

Notes

Title of the patch

Security update for jawn

Description of the patch

This update for jawn fixes the following issues: * CVE-2022-21653: DoS caused by a hash collision in SimpleFacade and MutableFacade (boo#1194358)

Patchnames

openSUSE-2022-11

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for jawn",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for jawn fixes the following issues:\n\n* CVE-2022-21653: DoS caused by a hash collision in SimpleFacade and MutableFacade (boo#1194358)\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-2022-11",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2022_0011-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2022:0011-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LN5Z3Y5OA2VGDDD23VAZE2P4IULBASWF/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2022:0011-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LN5Z3Y5OA2VGDDD23VAZE2P4IULBASWF/"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1194358",
        "url": "https://bugzilla.suse.com/1194358"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-21653 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-21653/"
      }
    ],
    "title": "Security update for jawn",
    "tracking": {
      "current_release_date": "2022-01-11T13:01:01Z",
      "generator": {
        "date": "2022-01-11T13:01:01Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2022:0011-1",
      "initial_release_date": "2022-01-11T13:01:01Z",
      "revision_history": [
        {
          "date": "2022-01-11T13:01:01Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jawn-ast-0.14.1-bp153.2.3.1.noarch",
                "product": {
                  "name": "jawn-ast-0.14.1-bp153.2.3.1.noarch",
                  "product_id": "jawn-ast-0.14.1-bp153.2.3.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "jawn-json4s-0.14.1-bp153.2.3.1.noarch",
                "product": {
                  "name": "jawn-json4s-0.14.1-bp153.2.3.1.noarch",
                  "product_id": "jawn-json4s-0.14.1-bp153.2.3.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "jawn-parser-0.14.1-bp153.2.3.1.noarch",
                "product": {
                  "name": "jawn-parser-0.14.1-bp153.2.3.1.noarch",
                  "product_id": "jawn-parser-0.14.1-bp153.2.3.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "jawn-util-0.14.1-bp153.2.3.1.noarch",
                "product": {
                  "name": "jawn-util-0.14.1-bp153.2.3.1.noarch",
                  "product_id": "jawn-util-0.14.1-bp153.2.3.1.noarch"
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Package Hub 15 SP3",
                "product": {
                  "name": "SUSE Package Hub 15 SP3",
                  "product_id": "SUSE Package Hub 15 SP3"
                }
              },
              {
                "category": "product_name",
                "name": "openSUSE Leap 15.3",
                "product": {
                  "name": "openSUSE Leap 15.3",
                  "product_id": "openSUSE Leap 15.3",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:leap:15.3"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jawn-ast-0.14.1-bp153.2.3.1.noarch as component of SUSE Package Hub 15 SP3",
          "product_id": "SUSE Package Hub 15 SP3:jawn-ast-0.14.1-bp153.2.3.1.noarch"
        },
        "product_reference": "jawn-ast-0.14.1-bp153.2.3.1.noarch",
        "relates_to_product_reference": "SUSE Package Hub 15 SP3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jawn-json4s-0.14.1-bp153.2.3.1.noarch as component of SUSE Package Hub 15 SP3",
          "product_id": "SUSE Package Hub 15 SP3:jawn-json4s-0.14.1-bp153.2.3.1.noarch"
        },
        "product_reference": "jawn-json4s-0.14.1-bp153.2.3.1.noarch",
        "relates_to_product_reference": "SUSE Package Hub 15 SP3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jawn-parser-0.14.1-bp153.2.3.1.noarch as component of SUSE Package Hub 15 SP3",
          "product_id": "SUSE Package Hub 15 SP3:jawn-parser-0.14.1-bp153.2.3.1.noarch"
        },
        "product_reference": "jawn-parser-0.14.1-bp153.2.3.1.noarch",
        "relates_to_product_reference": "SUSE Package Hub 15 SP3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jawn-util-0.14.1-bp153.2.3.1.noarch as component of SUSE Package Hub 15 SP3",
          "product_id": "SUSE Package Hub 15 SP3:jawn-util-0.14.1-bp153.2.3.1.noarch"
        },
        "product_reference": "jawn-util-0.14.1-bp153.2.3.1.noarch",
        "relates_to_product_reference": "SUSE Package Hub 15 SP3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jawn-ast-0.14.1-bp153.2.3.1.noarch as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:jawn-ast-0.14.1-bp153.2.3.1.noarch"
        },
        "product_reference": "jawn-ast-0.14.1-bp153.2.3.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jawn-json4s-0.14.1-bp153.2.3.1.noarch as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:jawn-json4s-0.14.1-bp153.2.3.1.noarch"
        },
        "product_reference": "jawn-json4s-0.14.1-bp153.2.3.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jawn-parser-0.14.1-bp153.2.3.1.noarch as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:jawn-parser-0.14.1-bp153.2.3.1.noarch"
        },
        "product_reference": "jawn-parser-0.14.1-bp153.2.3.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jawn-util-0.14.1-bp153.2.3.1.noarch as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:jawn-util-0.14.1-bp153.2.3.1.noarch"
        },
        "product_reference": "jawn-util-0.14.1-bp153.2.3.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-21653",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-21653"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Jawn is an open source JSON parser. Extenders of the `org.typelevel.jawn.SimpleFacade` and `org.typelevel.jawn.MutableFacade` who don\u0027t override `objectContext()` are vulnerable to a hash collision attack which may result in a denial of service. Most applications do not implement these traits directly, but inherit from a library. `jawn-parser-1.3.1` fixes this issue and users are advised to upgrade. For users unable to upgrade override `objectContext()` to use a collision-safe collection.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Package Hub 15 SP3:jawn-ast-0.14.1-bp153.2.3.1.noarch",
          "SUSE Package Hub 15 SP3:jawn-json4s-0.14.1-bp153.2.3.1.noarch",
          "SUSE Package Hub 15 SP3:jawn-parser-0.14.1-bp153.2.3.1.noarch",
          "SUSE Package Hub 15 SP3:jawn-util-0.14.1-bp153.2.3.1.noarch",
          "openSUSE Leap 15.3:jawn-ast-0.14.1-bp153.2.3.1.noarch",
          "openSUSE Leap 15.3:jawn-json4s-0.14.1-bp153.2.3.1.noarch",
          "openSUSE Leap 15.3:jawn-parser-0.14.1-bp153.2.3.1.noarch",
          "openSUSE Leap 15.3:jawn-util-0.14.1-bp153.2.3.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-21653",
          "url": "https://www.suse.com/security/cve/CVE-2022-21653"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1194358 for CVE-2022-21653",
          "url": "https://bugzilla.suse.com/1194358"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Package Hub 15 SP3:jawn-ast-0.14.1-bp153.2.3.1.noarch",
            "SUSE Package Hub 15 SP3:jawn-json4s-0.14.1-bp153.2.3.1.noarch",
            "SUSE Package Hub 15 SP3:jawn-parser-0.14.1-bp153.2.3.1.noarch",
            "SUSE Package Hub 15 SP3:jawn-util-0.14.1-bp153.2.3.1.noarch",
            "openSUSE Leap 15.3:jawn-ast-0.14.1-bp153.2.3.1.noarch",
            "openSUSE Leap 15.3:jawn-json4s-0.14.1-bp153.2.3.1.noarch",
            "openSUSE Leap 15.3:jawn-parser-0.14.1-bp153.2.3.1.noarch",
            "openSUSE Leap 15.3:jawn-util-0.14.1-bp153.2.3.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Package Hub 15 SP3:jawn-ast-0.14.1-bp153.2.3.1.noarch",
            "SUSE Package Hub 15 SP3:jawn-json4s-0.14.1-bp153.2.3.1.noarch",
            "SUSE Package Hub 15 SP3:jawn-parser-0.14.1-bp153.2.3.1.noarch",
            "SUSE Package Hub 15 SP3:jawn-util-0.14.1-bp153.2.3.1.noarch",
            "openSUSE Leap 15.3:jawn-ast-0.14.1-bp153.2.3.1.noarch",
            "openSUSE Leap 15.3:jawn-json4s-0.14.1-bp153.2.3.1.noarch",
            "openSUSE Leap 15.3:jawn-parser-0.14.1-bp153.2.3.1.noarch",
            "openSUSE Leap 15.3:jawn-util-0.14.1-bp153.2.3.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2022-01-11T13:01:01Z",
          "details": "important"
        }
      ],
      "title": "CVE-2022-21653"
    }
  ]
}

OPENSUSE-SU-2022:0106-1

Vulnerability from csaf_opensuse - Published: 2022-01-18 10:43 - Updated: 2022-01-18 10:43

Summary

Security update for jawn

Notes

Title of the patch

Security update for jawn

Description of the patch

This update for jawn fixes the following issues: - CVE-2022-21653: Fixed DoS caused by a hash collision in SimpleFacade and MutableFacade (bsc#1194358).

Patchnames

openSUSE-SLE-15.3-2022-106

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for jawn",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for jawn fixes the following issues:\n\n- CVE-2022-21653: Fixed DoS caused by a hash collision in SimpleFacade and MutableFacade (bsc#1194358).\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-SLE-15.3-2022-106",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2022_0106-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2022:0106-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/OBUO7H3LKGBHC4SODDIXNRMKJH3PIZ7M/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2022:0106-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/OBUO7H3LKGBHC4SODDIXNRMKJH3PIZ7M/"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1194358",
        "url": "https://bugzilla.suse.com/1194358"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-21653 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-21653/"
      }
    ],
    "title": "Security update for jawn",
    "tracking": {
      "current_release_date": "2022-01-18T10:43:15Z",
      "generator": {
        "date": "2022-01-18T10:43:15Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2022:0106-1",
      "initial_release_date": "2022-01-18T10:43:15Z",
      "revision_history": [
        {
          "date": "2022-01-18T10:43:15Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jawn-ast-0.14.1-3.3.1.noarch",
                "product": {
                  "name": "jawn-ast-0.14.1-3.3.1.noarch",
                  "product_id": "jawn-ast-0.14.1-3.3.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "jawn-json4s-0.14.1-3.3.1.noarch",
                "product": {
                  "name": "jawn-json4s-0.14.1-3.3.1.noarch",
                  "product_id": "jawn-json4s-0.14.1-3.3.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "jawn-parser-0.14.1-3.3.1.noarch",
                "product": {
                  "name": "jawn-parser-0.14.1-3.3.1.noarch",
                  "product_id": "jawn-parser-0.14.1-3.3.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "jawn-util-0.14.1-3.3.1.noarch",
                "product": {
                  "name": "jawn-util-0.14.1-3.3.1.noarch",
                  "product_id": "jawn-util-0.14.1-3.3.1.noarch"
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Leap 15.3",
                "product": {
                  "name": "openSUSE Leap 15.3",
                  "product_id": "openSUSE Leap 15.3",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:leap:15.3"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jawn-ast-0.14.1-3.3.1.noarch as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:jawn-ast-0.14.1-3.3.1.noarch"
        },
        "product_reference": "jawn-ast-0.14.1-3.3.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jawn-json4s-0.14.1-3.3.1.noarch as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:jawn-json4s-0.14.1-3.3.1.noarch"
        },
        "product_reference": "jawn-json4s-0.14.1-3.3.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jawn-parser-0.14.1-3.3.1.noarch as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:jawn-parser-0.14.1-3.3.1.noarch"
        },
        "product_reference": "jawn-parser-0.14.1-3.3.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jawn-util-0.14.1-3.3.1.noarch as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:jawn-util-0.14.1-3.3.1.noarch"
        },
        "product_reference": "jawn-util-0.14.1-3.3.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-21653",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-21653"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Jawn is an open source JSON parser. Extenders of the `org.typelevel.jawn.SimpleFacade` and `org.typelevel.jawn.MutableFacade` who don\u0027t override `objectContext()` are vulnerable to a hash collision attack which may result in a denial of service. Most applications do not implement these traits directly, but inherit from a library. `jawn-parser-1.3.1` fixes this issue and users are advised to upgrade. For users unable to upgrade override `objectContext()` to use a collision-safe collection.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.3:jawn-ast-0.14.1-3.3.1.noarch",
          "openSUSE Leap 15.3:jawn-json4s-0.14.1-3.3.1.noarch",
          "openSUSE Leap 15.3:jawn-parser-0.14.1-3.3.1.noarch",
          "openSUSE Leap 15.3:jawn-util-0.14.1-3.3.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-21653",
          "url": "https://www.suse.com/security/cve/CVE-2022-21653"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1194358 for CVE-2022-21653",
          "url": "https://bugzilla.suse.com/1194358"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.3:jawn-ast-0.14.1-3.3.1.noarch",
            "openSUSE Leap 15.3:jawn-json4s-0.14.1-3.3.1.noarch",
            "openSUSE Leap 15.3:jawn-parser-0.14.1-3.3.1.noarch",
            "openSUSE Leap 15.3:jawn-util-0.14.1-3.3.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.3:jawn-ast-0.14.1-3.3.1.noarch",
            "openSUSE Leap 15.3:jawn-json4s-0.14.1-3.3.1.noarch",
            "openSUSE Leap 15.3:jawn-parser-0.14.1-3.3.1.noarch",
            "openSUSE Leap 15.3:jawn-util-0.14.1-3.3.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2022-01-18T10:43:15Z",
          "details": "important"
        }
      ],
      "title": "CVE-2022-21653"
    }
  ]
}

OPENSUSE-SU-2024:11718-1

Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00

Summary

jawn-ast-0.14.1-2.1 on GA media

Notes

Title of the patch

jawn-ast-0.14.1-2.1 on GA media

Description of the patch

These are all security issues fixed in the jawn-ast-0.14.1-2.1 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2024-11718

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "jawn-ast-0.14.1-2.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the jawn-ast-0.14.1-2.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-11718",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_11718-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-21653 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-21653/"
      }
    ],
    "title": "jawn-ast-0.14.1-2.1 on GA media",
    "tracking": {
      "current_release_date": "2024-06-15T00:00:00Z",
      "generator": {
        "date": "2024-06-15T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:11718-1",
      "initial_release_date": "2024-06-15T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-15T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jawn-ast-0.14.1-2.1.aarch64",
                "product": {
                  "name": "jawn-ast-0.14.1-2.1.aarch64",
                  "product_id": "jawn-ast-0.14.1-2.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "jawn-json4s-0.14.1-2.1.aarch64",
                "product": {
                  "name": "jawn-json4s-0.14.1-2.1.aarch64",
                  "product_id": "jawn-json4s-0.14.1-2.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "jawn-parser-0.14.1-2.1.aarch64",
                "product": {
                  "name": "jawn-parser-0.14.1-2.1.aarch64",
                  "product_id": "jawn-parser-0.14.1-2.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "jawn-util-0.14.1-2.1.aarch64",
                "product": {
                  "name": "jawn-util-0.14.1-2.1.aarch64",
                  "product_id": "jawn-util-0.14.1-2.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jawn-ast-0.14.1-2.1.ppc64le",
                "product": {
                  "name": "jawn-ast-0.14.1-2.1.ppc64le",
                  "product_id": "jawn-ast-0.14.1-2.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "jawn-json4s-0.14.1-2.1.ppc64le",
                "product": {
                  "name": "jawn-json4s-0.14.1-2.1.ppc64le",
                  "product_id": "jawn-json4s-0.14.1-2.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "jawn-parser-0.14.1-2.1.ppc64le",
                "product": {
                  "name": "jawn-parser-0.14.1-2.1.ppc64le",
                  "product_id": "jawn-parser-0.14.1-2.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "jawn-util-0.14.1-2.1.ppc64le",
                "product": {
                  "name": "jawn-util-0.14.1-2.1.ppc64le",
                  "product_id": "jawn-util-0.14.1-2.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jawn-ast-0.14.1-2.1.s390x",
                "product": {
                  "name": "jawn-ast-0.14.1-2.1.s390x",
                  "product_id": "jawn-ast-0.14.1-2.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "jawn-json4s-0.14.1-2.1.s390x",
                "product": {
                  "name": "jawn-json4s-0.14.1-2.1.s390x",
                  "product_id": "jawn-json4s-0.14.1-2.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "jawn-parser-0.14.1-2.1.s390x",
                "product": {
                  "name": "jawn-parser-0.14.1-2.1.s390x",
                  "product_id": "jawn-parser-0.14.1-2.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "jawn-util-0.14.1-2.1.s390x",
                "product": {
                  "name": "jawn-util-0.14.1-2.1.s390x",
                  "product_id": "jawn-util-0.14.1-2.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jawn-ast-0.14.1-2.1.x86_64",
                "product": {
                  "name": "jawn-ast-0.14.1-2.1.x86_64",
                  "product_id": "jawn-ast-0.14.1-2.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "jawn-json4s-0.14.1-2.1.x86_64",
                "product": {
                  "name": "jawn-json4s-0.14.1-2.1.x86_64",
                  "product_id": "jawn-json4s-0.14.1-2.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "jawn-parser-0.14.1-2.1.x86_64",
                "product": {
                  "name": "jawn-parser-0.14.1-2.1.x86_64",
                  "product_id": "jawn-parser-0.14.1-2.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "jawn-util-0.14.1-2.1.x86_64",
                "product": {
                  "name": "jawn-util-0.14.1-2.1.x86_64",
                  "product_id": "jawn-util-0.14.1-2.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jawn-ast-0.14.1-2.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jawn-ast-0.14.1-2.1.aarch64"
        },
        "product_reference": "jawn-ast-0.14.1-2.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jawn-ast-0.14.1-2.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jawn-ast-0.14.1-2.1.ppc64le"
        },
        "product_reference": "jawn-ast-0.14.1-2.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jawn-ast-0.14.1-2.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jawn-ast-0.14.1-2.1.s390x"
        },
        "product_reference": "jawn-ast-0.14.1-2.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jawn-ast-0.14.1-2.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jawn-ast-0.14.1-2.1.x86_64"
        },
        "product_reference": "jawn-ast-0.14.1-2.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jawn-json4s-0.14.1-2.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jawn-json4s-0.14.1-2.1.aarch64"
        },
        "product_reference": "jawn-json4s-0.14.1-2.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jawn-json4s-0.14.1-2.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jawn-json4s-0.14.1-2.1.ppc64le"
        },
        "product_reference": "jawn-json4s-0.14.1-2.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jawn-json4s-0.14.1-2.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jawn-json4s-0.14.1-2.1.s390x"
        },
        "product_reference": "jawn-json4s-0.14.1-2.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jawn-json4s-0.14.1-2.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jawn-json4s-0.14.1-2.1.x86_64"
        },
        "product_reference": "jawn-json4s-0.14.1-2.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jawn-parser-0.14.1-2.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jawn-parser-0.14.1-2.1.aarch64"
        },
        "product_reference": "jawn-parser-0.14.1-2.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jawn-parser-0.14.1-2.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jawn-parser-0.14.1-2.1.ppc64le"
        },
        "product_reference": "jawn-parser-0.14.1-2.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jawn-parser-0.14.1-2.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jawn-parser-0.14.1-2.1.s390x"
        },
        "product_reference": "jawn-parser-0.14.1-2.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jawn-parser-0.14.1-2.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jawn-parser-0.14.1-2.1.x86_64"
        },
        "product_reference": "jawn-parser-0.14.1-2.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jawn-util-0.14.1-2.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jawn-util-0.14.1-2.1.aarch64"
        },
        "product_reference": "jawn-util-0.14.1-2.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jawn-util-0.14.1-2.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jawn-util-0.14.1-2.1.ppc64le"
        },
        "product_reference": "jawn-util-0.14.1-2.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jawn-util-0.14.1-2.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jawn-util-0.14.1-2.1.s390x"
        },
        "product_reference": "jawn-util-0.14.1-2.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jawn-util-0.14.1-2.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jawn-util-0.14.1-2.1.x86_64"
        },
        "product_reference": "jawn-util-0.14.1-2.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-21653",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-21653"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Jawn is an open source JSON parser. Extenders of the `org.typelevel.jawn.SimpleFacade` and `org.typelevel.jawn.MutableFacade` who don\u0027t override `objectContext()` are vulnerable to a hash collision attack which may result in a denial of service. Most applications do not implement these traits directly, but inherit from a library. `jawn-parser-1.3.1` fixes this issue and users are advised to upgrade. For users unable to upgrade override `objectContext()` to use a collision-safe collection.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:jawn-ast-0.14.1-2.1.aarch64",
          "openSUSE Tumbleweed:jawn-ast-0.14.1-2.1.ppc64le",
          "openSUSE Tumbleweed:jawn-ast-0.14.1-2.1.s390x",
          "openSUSE Tumbleweed:jawn-ast-0.14.1-2.1.x86_64",
          "openSUSE Tumbleweed:jawn-json4s-0.14.1-2.1.aarch64",
          "openSUSE Tumbleweed:jawn-json4s-0.14.1-2.1.ppc64le",
          "openSUSE Tumbleweed:jawn-json4s-0.14.1-2.1.s390x",
          "openSUSE Tumbleweed:jawn-json4s-0.14.1-2.1.x86_64",
          "openSUSE Tumbleweed:jawn-parser-0.14.1-2.1.aarch64",
          "openSUSE Tumbleweed:jawn-parser-0.14.1-2.1.ppc64le",
          "openSUSE Tumbleweed:jawn-parser-0.14.1-2.1.s390x",
          "openSUSE Tumbleweed:jawn-parser-0.14.1-2.1.x86_64",
          "openSUSE Tumbleweed:jawn-util-0.14.1-2.1.aarch64",
          "openSUSE Tumbleweed:jawn-util-0.14.1-2.1.ppc64le",
          "openSUSE Tumbleweed:jawn-util-0.14.1-2.1.s390x",
          "openSUSE Tumbleweed:jawn-util-0.14.1-2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-21653",
          "url": "https://www.suse.com/security/cve/CVE-2022-21653"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1194358 for CVE-2022-21653",
          "url": "https://bugzilla.suse.com/1194358"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:jawn-ast-0.14.1-2.1.aarch64",
            "openSUSE Tumbleweed:jawn-ast-0.14.1-2.1.ppc64le",
            "openSUSE Tumbleweed:jawn-ast-0.14.1-2.1.s390x",
            "openSUSE Tumbleweed:jawn-ast-0.14.1-2.1.x86_64",
            "openSUSE Tumbleweed:jawn-json4s-0.14.1-2.1.aarch64",
            "openSUSE Tumbleweed:jawn-json4s-0.14.1-2.1.ppc64le",
            "openSUSE Tumbleweed:jawn-json4s-0.14.1-2.1.s390x",
            "openSUSE Tumbleweed:jawn-json4s-0.14.1-2.1.x86_64",
            "openSUSE Tumbleweed:jawn-parser-0.14.1-2.1.aarch64",
            "openSUSE Tumbleweed:jawn-parser-0.14.1-2.1.ppc64le",
            "openSUSE Tumbleweed:jawn-parser-0.14.1-2.1.s390x",
            "openSUSE Tumbleweed:jawn-parser-0.14.1-2.1.x86_64",
            "openSUSE Tumbleweed:jawn-util-0.14.1-2.1.aarch64",
            "openSUSE Tumbleweed:jawn-util-0.14.1-2.1.ppc64le",
            "openSUSE Tumbleweed:jawn-util-0.14.1-2.1.s390x",
            "openSUSE Tumbleweed:jawn-util-0.14.1-2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:jawn-ast-0.14.1-2.1.aarch64",
            "openSUSE Tumbleweed:jawn-ast-0.14.1-2.1.ppc64le",
            "openSUSE Tumbleweed:jawn-ast-0.14.1-2.1.s390x",
            "openSUSE Tumbleweed:jawn-ast-0.14.1-2.1.x86_64",
            "openSUSE Tumbleweed:jawn-json4s-0.14.1-2.1.aarch64",
            "openSUSE Tumbleweed:jawn-json4s-0.14.1-2.1.ppc64le",
            "openSUSE Tumbleweed:jawn-json4s-0.14.1-2.1.s390x",
            "openSUSE Tumbleweed:jawn-json4s-0.14.1-2.1.x86_64",
            "openSUSE Tumbleweed:jawn-parser-0.14.1-2.1.aarch64",
            "openSUSE Tumbleweed:jawn-parser-0.14.1-2.1.ppc64le",
            "openSUSE Tumbleweed:jawn-parser-0.14.1-2.1.s390x",
            "openSUSE Tumbleweed:jawn-parser-0.14.1-2.1.x86_64",
            "openSUSE Tumbleweed:jawn-util-0.14.1-2.1.aarch64",
            "openSUSE Tumbleweed:jawn-util-0.14.1-2.1.ppc64le",
            "openSUSE Tumbleweed:jawn-util-0.14.1-2.1.s390x",
            "openSUSE Tumbleweed:jawn-util-0.14.1-2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2022-21653"
    }
  ]
}

OPENSUSE-SU-2022:0045-1

Vulnerability from csaf_opensuse - Published: 2022-02-20 13:01 - Updated: 2022-02-20 13:01

Summary

Security update for jaw

Notes

Title of the patch

Security update for jaw

Description of the patch

jawn was updated to fix: * CVE-2022-21653: DoS caused by a hash collision in SimpleFacade and MutableFacade (bsc#1194358)

Patchnames

openSUSE-2022-45

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for jaw",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "\njawn was updated to fix:\n\n* CVE-2022-21653: DoS caused by a hash collision in SimpleFacade and MutableFacade (bsc#1194358)\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-2022-45",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2022_0045-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2022:0045-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JX7DHIBOHVUYZIPBBRVCZ2DBCRAZALDM/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2022:0045-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JX7DHIBOHVUYZIPBBRVCZ2DBCRAZALDM/"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1194358",
        "url": "https://bugzilla.suse.com/1194358"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-21653 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-21653/"
      }
    ],
    "title": "Security update for jaw",
    "tracking": {
      "current_release_date": "2022-02-20T13:01:31Z",
      "generator": {
        "date": "2022-02-20T13:01:31Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2022:0045-1",
      "initial_release_date": "2022-02-20T13:01:31Z",
      "revision_history": [
        {
          "date": "2022-02-20T13:01:31Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jawn-ast-0.14.1-bp152.2.3.1.noarch",
                "product": {
                  "name": "jawn-ast-0.14.1-bp152.2.3.1.noarch",
                  "product_id": "jawn-ast-0.14.1-bp152.2.3.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "jawn-json4s-0.14.1-bp152.2.3.1.noarch",
                "product": {
                  "name": "jawn-json4s-0.14.1-bp152.2.3.1.noarch",
                  "product_id": "jawn-json4s-0.14.1-bp152.2.3.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "jawn-parser-0.14.1-bp152.2.3.1.noarch",
                "product": {
                  "name": "jawn-parser-0.14.1-bp152.2.3.1.noarch",
                  "product_id": "jawn-parser-0.14.1-bp152.2.3.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "jawn-util-0.14.1-bp152.2.3.1.noarch",
                "product": {
                  "name": "jawn-util-0.14.1-bp152.2.3.1.noarch",
                  "product_id": "jawn-util-0.14.1-bp152.2.3.1.noarch"
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Package Hub 15 SP2",
                "product": {
                  "name": "SUSE Package Hub 15 SP2",
                  "product_id": "SUSE Package Hub 15 SP2"
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jawn-ast-0.14.1-bp152.2.3.1.noarch as component of SUSE Package Hub 15 SP2",
          "product_id": "SUSE Package Hub 15 SP2:jawn-ast-0.14.1-bp152.2.3.1.noarch"
        },
        "product_reference": "jawn-ast-0.14.1-bp152.2.3.1.noarch",
        "relates_to_product_reference": "SUSE Package Hub 15 SP2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jawn-json4s-0.14.1-bp152.2.3.1.noarch as component of SUSE Package Hub 15 SP2",
          "product_id": "SUSE Package Hub 15 SP2:jawn-json4s-0.14.1-bp152.2.3.1.noarch"
        },
        "product_reference": "jawn-json4s-0.14.1-bp152.2.3.1.noarch",
        "relates_to_product_reference": "SUSE Package Hub 15 SP2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jawn-parser-0.14.1-bp152.2.3.1.noarch as component of SUSE Package Hub 15 SP2",
          "product_id": "SUSE Package Hub 15 SP2:jawn-parser-0.14.1-bp152.2.3.1.noarch"
        },
        "product_reference": "jawn-parser-0.14.1-bp152.2.3.1.noarch",
        "relates_to_product_reference": "SUSE Package Hub 15 SP2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jawn-util-0.14.1-bp152.2.3.1.noarch as component of SUSE Package Hub 15 SP2",
          "product_id": "SUSE Package Hub 15 SP2:jawn-util-0.14.1-bp152.2.3.1.noarch"
        },
        "product_reference": "jawn-util-0.14.1-bp152.2.3.1.noarch",
        "relates_to_product_reference": "SUSE Package Hub 15 SP2"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-21653",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-21653"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Jawn is an open source JSON parser. Extenders of the `org.typelevel.jawn.SimpleFacade` and `org.typelevel.jawn.MutableFacade` who don\u0027t override `objectContext()` are vulnerable to a hash collision attack which may result in a denial of service. Most applications do not implement these traits directly, but inherit from a library. `jawn-parser-1.3.1` fixes this issue and users are advised to upgrade. For users unable to upgrade override `objectContext()` to use a collision-safe collection.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Package Hub 15 SP2:jawn-ast-0.14.1-bp152.2.3.1.noarch",
          "SUSE Package Hub 15 SP2:jawn-json4s-0.14.1-bp152.2.3.1.noarch",
          "SUSE Package Hub 15 SP2:jawn-parser-0.14.1-bp152.2.3.1.noarch",
          "SUSE Package Hub 15 SP2:jawn-util-0.14.1-bp152.2.3.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-21653",
          "url": "https://www.suse.com/security/cve/CVE-2022-21653"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1194358 for CVE-2022-21653",
          "url": "https://bugzilla.suse.com/1194358"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Package Hub 15 SP2:jawn-ast-0.14.1-bp152.2.3.1.noarch",
            "SUSE Package Hub 15 SP2:jawn-json4s-0.14.1-bp152.2.3.1.noarch",
            "SUSE Package Hub 15 SP2:jawn-parser-0.14.1-bp152.2.3.1.noarch",
            "SUSE Package Hub 15 SP2:jawn-util-0.14.1-bp152.2.3.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Package Hub 15 SP2:jawn-ast-0.14.1-bp152.2.3.1.noarch",
            "SUSE Package Hub 15 SP2:jawn-json4s-0.14.1-bp152.2.3.1.noarch",
            "SUSE Package Hub 15 SP2:jawn-parser-0.14.1-bp152.2.3.1.noarch",
            "SUSE Package Hub 15 SP2:jawn-util-0.14.1-bp152.2.3.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2022-02-20T13:01:31Z",
          "details": "important"
        }
      ],
      "title": "CVE-2022-21653"
    }
  ]
}

GSD-2022-21653

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2022-21653

Aliases

CVE-2022-21653

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-21653",
    "description": "Jawn is an open source JSON parser. Extenders of the `org.typelevel.jawn.SimpleFacade` and `org.typelevel.jawn.MutableFacade` who don\u0027t override `objectContext()` are vulnerable to a hash collision attack which may result in a denial of service. Most applications do not implement these traits directly, but inherit from a library. `jawn-parser-1.3.1` fixes this issue and users are advised to upgrade. For users unable to upgrade override `objectContext()` to use a collision-safe collection.",
    "id": "GSD-2022-21653",
    "references": [
      "https://www.suse.com/security/cve/CVE-2022-21653.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-21653"
      ],
      "details": "Jawn is an open source JSON parser. Extenders of the `org.typelevel.jawn.SimpleFacade` and `org.typelevel.jawn.MutableFacade` who don\u0027t override `objectContext()` are vulnerable to a hash collision attack which may result in a denial of service. Most applications do not implement these traits directly, but inherit from a library. `jawn-parser-1.3.1` fixes this issue and users are advised to upgrade. For users unable to upgrade override `objectContext()` to use a collision-safe collection.",
      "id": "GSD-2022-21653",
      "modified": "2023-12-13T01:19:14.001344Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2022-21653",
        "STATE": "PUBLIC",
        "TITLE": "Hash collision in typelevel jawn"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "jawn",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c 1.3.2"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "typelevel"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Jawn is an open source JSON parser. Extenders of the `org.typelevel.jawn.SimpleFacade` and `org.typelevel.jawn.MutableFacade` who don\u0027t override `objectContext()` are vulnerable to a hash collision attack which may result in a denial of service. Most applications do not implement these traits directly, but inherit from a library. `jawn-parser-1.3.1` fixes this issue and users are advised to upgrade. For users unable to upgrade override `objectContext()` to use a collision-safe collection."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 5.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-400: Uncontrolled Resource Consumption"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/typelevel/jawn/security/advisories/GHSA-vc89-hccf-rq55",
            "refsource": "CONFIRM",
            "url": "https://github.com/typelevel/jawn/security/advisories/GHSA-vc89-hccf-rq55"
          },
          {
            "name": "https://github.com/typelevel/jawn/pull/390",
            "refsource": "MISC",
            "url": "https://github.com/typelevel/jawn/pull/390"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-vc89-hccf-rq55",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "(,1.3.2)",
          "affected_versions": "All versions before 1.3.2",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2022-01-10",
          "description": "Jawn is an open source JSON parser. Extenders of the `org.typelevel.jawn.SimpleFacade` and `org.typelevel.jawn.MutableFacade` who don\u0027t override `objectContext()` are vulnerable to a hash collision attack which may result in a denial of service. Most applications do not implement these traits directly, but inherit from a library. `jawn-parser-1.3.1` fixes this issue and users are advised to upgrade. For users unable to upgrade override `objectContext()` to use a collision-safe collection.",
          "fixed_versions": [
            "1.3.2"
          ],
          "identifier": "CVE-2022-21653",
          "identifiers": [
            "GHSA-vc89-hccf-rq55",
            "CVE-2022-21653"
          ],
          "not_impacted": "All versions starting from 1.3.2",
          "package_slug": "maven/org.typelevel/jawn-parser",
          "pubdate": "2022-01-06",
          "solution": "Upgrade to version 1.3.2 or above.",
          "title": "Hash collision in typelevel jawn",
          "urls": [
            "https://github.com/typelevel/jawn/security/advisories/GHSA-vc89-hccf-rq55",
            "https://nvd.nist.gov/vuln/detail/CVE-2022-21653",
            "https://github.com/typelevel/jawn/pull/390",
            "https://github.com/advisories/GHSA-vc89-hccf-rq55"
          ],
          "uuid": "c4967fd2-cefa-4c5f-bb7e-0484bafcba1a"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:jawn:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.3.2",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-21653"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Jawn is an open source JSON parser. Extenders of the `org.typelevel.jawn.SimpleFacade` and `org.typelevel.jawn.MutableFacade` who don\u0027t override `objectContext()` are vulnerable to a hash collision attack which may result in a denial of service. Most applications do not implement these traits directly, but inherit from a library. `jawn-parser-1.3.1` fixes this issue and users are advised to upgrade. For users unable to upgrade override `objectContext()` to use a collision-safe collection."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-326"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/typelevel/jawn/pull/390",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Issue Tracking",
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/typelevel/jawn/pull/390"
            },
            {
              "name": "https://github.com/typelevel/jawn/security/advisories/GHSA-vc89-hccf-rq55",
              "refsource": "CONFIRM",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/typelevel/jawn/security/advisories/GHSA-vc89-hccf-rq55"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2022-01-12T18:54Z",
      "publishedDate": "2022-01-05T21:15Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-21653 (GCVE-0-2022-21653)

FKIE_CVE-2022-21653

GHSA-VC89-HCCF-RQ55

Impact

Patches

Workarounds

References

Credits

For more information

OPENSUSE-SU-2022:0011-1

OPENSUSE-SU-2022:0106-1

OPENSUSE-SU-2024:11718-1

OPENSUSE-SU-2022:0045-1

GSD-2022-21653

Tags

Sightings

Nomenclature