Impact
Extenders of the org.typelevel.jawn.SimpleFacade
and org.typelevel.jawn.MutableFacade
who don't override objectContext()
are vulnerable to a hash collision attack. Most applications do not implement these traits directly, but inherit from a library:
Affected implementations include:
org.http4s
:: http4s-play-json
org.typelevel :: jawn-ast
(< 0.8.0)
org.typelevel :: jawn-play
(discontinued)
org.typelevel :: jawn-rojoma
(discontinued)
org.typelevel :: jawn-spray
(discontinued)
Unaffected implementations include:
io.argonaut :: argonaut-jawn
io.circe :: circe-parser
org.typelevel :: jawn-ast
(>= 0.8.0)
org.typelevel :: jawn-json4s
(discontinued)
org.typelevel :: jawn-argonaut
(discontinued)
Patches
jawn-parser-1.3.2
fixes the issue.
Workarounds
Override objectContext()
to use a collision-safe collection. See the patch for an example in both SimpleFacade
and MutableFacade
.
References
Credits
- @kag0, for the report and the patch
For more information
If you have any questions or comments about this advisory:
References
Impact
Extenders of the
org.typelevel.jawn.SimpleFacade
andorg.typelevel.jawn.MutableFacade
who don't overrideobjectContext()
are vulnerable to a hash collision attack. Most applications do not implement these traits directly, but inherit from a library:Affected implementations include:
org.http4s
::http4s-play-json
org.typelevel :: jawn-ast
(< 0.8.0)org.typelevel :: jawn-play
(discontinued)org.typelevel :: jawn-rojoma
(discontinued)org.typelevel :: jawn-spray
(discontinued)Unaffected implementations include:
io.argonaut :: argonaut-jawn
io.circe :: circe-parser
org.typelevel :: jawn-ast
(>= 0.8.0)org.typelevel :: jawn-json4s
(discontinued)org.typelevel :: jawn-argonaut
(discontinued)Patches
jawn-parser-1.3.2
fixes the issue.Workarounds
Override
objectContext()
to use a collision-safe collection. See the patch for an example in bothSimpleFacade
andMutableFacade
.References
Credits
For more information
If you have any questions or comments about this advisory:
References