CVE-2022-21653

NameCVE-2022-21653
DescriptionJawn is an open source JSON parser. Extenders of the `org.typelevel.jawn.SimpleFacade` and `org.typelevel.jawn.MutableFacade` who don't override `objectContext()` are vulnerable to a hash collision attack which may result in a denial of service. Most applications do not implement these traits directly, but inherit from a library. `jawn-parser-1.3.1` fixes this issue and users are advised to upgrade. For users unable to upgrade override `objectContext()` to use a collision-safe collection.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
jawn (PTS)sid, trixie, buster, bookworm, bullseye0.11.1+really0.6.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
jawnsource(unstable)(not affected)

Notes

- jawn <not-affected> (Vulnerable code not uploaded)
https://github.com/typelevel/jawn/pull/390
https://github.com/typelevel/jawn/commit/e5ddb114ed5d45ee0a605da06a280207bf9f9f58 (1.3.2)
https://github.com/typelevel/jawn/commit/0707e2569f43ff6195f90cc0dfc2d0ca79b51dd1 (1.3.2)

Search for package or bug name: Reporting problems