Impact
Extenders of the org.typelevel.jawn.SimpleFacade and org.typelevel.jawn.MutableFacade who don't override objectContext() are vulnerable to a hash collision attack. Most applications do not implement these traits directly, but inherit from a library:
Affected implementations include:
org.http4s :: http4s-play-jsonorg.typelevel :: jawn-ast (< 0.8.0)org.typelevel :: jawn-play (discontinued)org.typelevel :: jawn-rojoma (discontinued)org.typelevel :: jawn-spray (discontinued)
Unaffected implementations include:
io.argonaut :: argonaut-jawnio.circe :: circe-parserorg.typelevel :: jawn-ast (>= 0.8.0)org.typelevel :: jawn-json4s (discontinued)org.typelevel :: jawn-argonaut (discontinued)
Patches
jawn-parser-1.3.2 fixes the issue.
Workarounds
Override objectContext() to use a collision-safe collection. See the patch for an example in both SimpleFacade and MutableFacade.
References
Credits
- @kag0, for the report and the patch
For more information
If you have any questions or comments about this advisory:
Impact
Extenders of the
org.typelevel.jawn.SimpleFacadeandorg.typelevel.jawn.MutableFacadewho don't overrideobjectContext()are vulnerable to a hash collision attack. Most applications do not implement these traits directly, but inherit from a library:Affected implementations include:
org.http4s::http4s-play-jsonorg.typelevel :: jawn-ast(< 0.8.0)org.typelevel :: jawn-play(discontinued)org.typelevel :: jawn-rojoma(discontinued)org.typelevel :: jawn-spray(discontinued)Unaffected implementations include:
io.argonaut :: argonaut-jawnio.circe :: circe-parserorg.typelevel :: jawn-ast(>= 0.8.0)org.typelevel :: jawn-json4s(discontinued)org.typelevel :: jawn-argonaut(discontinued)Patches
jawn-parser-1.3.2fixes the issue.Workarounds
Override
objectContext()to use a collision-safe collection. See the patch for an example in bothSimpleFacadeandMutableFacade.References
Credits
For more information
If you have any questions or comments about this advisory: