Vulnerabilities

 1 via 1 paths

Dependencies

 20

Source

 GitHub

Commit

 2cc731f2

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 1
Status
  • 1
  • 0
  • 0

medium severity

Denial of Service (DoS)

  • Vulnerable module: org.typelevel:jawn-parser_2.12
  • Introduced through: io.circe:circe-parser_2.12@0.11.1

Detailed paths

  • Introduced through: acme-software/arangodb-scala-driver@acme-software/arangodb-scala-driver#2cc731f29ed1c32a3821d9b1dec0c8abc1972428 io.circe:circe-parser_2.12@0.11.1 io.circe:circe-jawn_2.12@0.11.1 org.typelevel:jawn-parser_2.12@0.14.1
    Remediation: Upgrade to io.circe:circe-parser_2.12@0.14.2.

Overview

Affected versions of this package are vulnerable to Denial of Service (DoS). Extenders of the org.typelevel.jawn.SimpleFacade and org.typelevel.jawn.MutableFacade who don't override objectContext() are vulnerable to a hash collision attack. Most applications do not implement these traits directly, but inherit from a library.

For users unable to upgrade, override objectContext() to use a collision-safe collection.

Note - Unaffected implementations include: io.argonaut:argonaut-jawn io.circe:circe-parser org.typelevel:jawn-ast (>= 0.8.0) org.typelevel:jawn-json4s (discontinued) org.typelevel:jawn-argonaut (discontinued)

Remediation

Upgrade org.typelevel:jawn-parser_2.12 to version 1.3.2 or higher.

References

Denial of Service (DoS) vulnerability report