github
diff --git a/‎advisories/github-reviewed/2022/01/GHSA-vc89-hccf-rq55/GHSA-vc89-hccf-rq55.json‎
Lines changed: 326 additions & 3 deletions b/‎advisories/github-reviewed/2022/01/GHSA-vc89-hccf-rq55/GHSA-vc89-hccf-rq55.json‎
Lines changed: 326 additions & 3 deletions
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-vc89-hccf-rq55",
-  "modified": "2022-01-06T20:19:30Z",
+  "modified": "2025-12-16T22:29:13Z",
   "published": "2022-01-06T23:48:35Z",
   "aliases": [
     "CVE-2022-21653"
   ],
   "summary": "Hash collision in typelevel jawn",
-  "details": "### Impact\n\nExtenders of the `org.typelevel.jawn.SimpleFacade` and `org.typelevel.jawn.MutableFacade` who don't override `objectContext()` are vulnerable to a hash collision attack.  Most applications do not implement these traits directly, but inherit from a library:\n\nAffected implementations include:\n* `org.http4s` :: `http4s-play-json`\n* `org.typelevel :: jawn-ast` (< 0.8.0)\n* `org.typelevel :: jawn-play` (discontinued)\n* `org.typelevel :: jawn-rojoma` (discontinued)\n* `org.typelevel :: jawn-spray` (discontinued)\n\nUnaffected implementations include:\n* `io.argonaut :: argonaut-jawn`\n* `io.circe :: circe-parser`\n* `org.typelevel :: jawn-ast` (>= 0.8.0)\n* `org.typelevel :: jawn-json4s` (discontinued)\n* `org.typelevel :: jawn-argonaut` (discontinued)\n\n### Patches\n\n`jawn-parser-1.3.2` fixes the issue.\n\n### Workarounds\n\nOverride `objectContext()` to use a collision-safe collection.  See [the patch](https://github.com/typelevel/jawn/pull/390/files) for an example in both `SimpleFacade` and `MutableFacade`.\n\n### References\n\n* https://github.com/typelevel/jawn/pull/390\n\n### Credits\n\n* @kag0, for the report and the patch\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [typelevel/jawn](https://github.com/typelevel/jawn)\n* E-mail a maintainer:\n  * [@rossabaker](mailto:[email protected])\n",
+  "details": "### Impact\n\nExtenders of the `org.typelevel.jawn.SimpleFacade` and `org.typelevel.jawn.MutableFacade` who don't override `objectContext()` are vulnerable to a hash collision attack.  Most applications do not implement these traits directly, but inherit from a library:\n\nAffected implementations include:\n* `org.http4s` :: `http4s-play-json`\n* `org.typelevel :: jawn-ast` (< 0.8.0)\n* `org.typelevel :: jawn-play` (discontinued)\n* `org.typelevel :: jawn-rojoma` (discontinued)\n* `org.typelevel :: jawn-spray` (discontinued)\n\nUnaffected implementations include:\n* `io.argonaut :: argonaut-jawn`\n* `io.circe :: circe-parser`\n* `org.typelevel :: jawn-ast` (>= 0.8.0)\n* `org.typelevel :: jawn-json4s` (discontinued)\n* `org.typelevel :: jawn-argonaut` (discontinued)\n\n### Patches\n\n`jawn-parser-1.3.2` fixes the issue.\n\n### Workarounds\n\nOverride `objectContext()` to use a collision-safe collection.  See [the patch](https://github.com/typelevel/jawn/pull/390/files) for an example in both `SimpleFacade` and `MutableFacade`.\n\n### References\n\n* https://github.com/typelevel/jawn/pull/390\n\n### Credits\n\n* @kag0, for the report and the patch\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [typelevel/jawn](https://github.com/typelevel/jawn)\n* E-mail a maintainer:\n  * [@rossabaker](mailto:[email protected])",
   "severity": [
     {
       "type": "CVSS_V3",
@@ -18,7 +18,216 @@
     {
       "package": {
         "ecosystem": "Maven",
-        "name": "org.typelevel:jawn-parser"
+        "name": "org.typelevel:jawn-parser_0.25"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "< 1.3.2"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.typelevel:jawn-parserg"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "< 1.3.2"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.typelevel:jawn-parser_0.27"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "< 1.3.2"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.typelevel:jawn-parser_2.10"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "< 1.3.2"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.typelevel:jawn-parser_2.11"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "< 1.3.2"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.typelevel:jawn-parser_2.12"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.3.2"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.typelevel:jawn-parser_2.13"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.3.2"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.typelevel:jawn-parser_2.13.0-M5"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "< 1.3.2"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.typelevel:jawn-parser_2.13.0-RC1"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "< 1.3.2"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.typelevel:jawn-parser_2.13.0-RC2"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "< 1.3.2"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.typelevel:jawn-parser_2.13.0-RC3"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "< 1.3.2"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.typelevel:jawn-parser_3"
       },
       "ranges": [
         {
@@ -33,6 +242,120 @@
           ]
         }
       ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.typelevel:jawn-parser_3.0.0-M1"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "< 1.3.2"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.typelevel:jawn-parser_3.0.0-M2"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "< 1.3.2"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.typelevel:jawn-parser_3.0.0-M3"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "< 1.3.2"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.typelevel:jawn-parser_3.0.0-RC1"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "< 1.3.2"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.typelevel:jawn-parser_3.0.0-RC2"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "< 1.3.2"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.typelevel:jawn-parser_3.0.0-RC3"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "< 1.3.2"
+      }
     }
   ],
   "references": [