io.argonaut:argonaut-jawn_2.13.0-RC1 (=6.2.3), io.circe:circe-iteratee_2.13.0-RC1 (=0.13.0-M1) +8 more potentially affected by CVE-2022-21653 via org.typelevel:jawn-parser_2.13.0-RC1 (=0.14.2)

org.typelevel:jawn-parser2.13.0-RC1 MAVEN version =0.14.2 is affected by a known vulnerability. The following packages have a transitive dependency on org.typelevel:jawn-parser2.13.0-RC1 and may be impacted: - io.argonaut:argonaut-jawn2.13.0-RC1 =6.2.3 - io.circe:circe-iteratee2.13.0-RC1 =0.13.0-...

com.github.ghostdogpr:caliban-client_3.0.0-RC3 (=0.10.0), com.github.ghostdogpr:caliban-zio-http_3.0.0-RC3 (=0.10.0) +9 more potentially affected by CVE-2022-21653 via org.typelevel:jawn-parser_3.0.0-RC3 (=1.1.2)

org.typelevel:jawn-parser3.0.0-RC3 MAVEN version =1.1.2 is affected by a known vulnerability. The following packages have a transitive dependency on org.typelevel:jawn-parser3.0.0-RC3 and may be impacted: - com.github.ghostdogpr:caliban-client3.0.0-RC3 =0.10.0 -...

Hash collision in typelevel jawn

Impact Extenders of the org.typelevel.jawn.SimpleFacade and org.typelevel.jawn.MutableFacade who don't override objectContext are vulnerable to a hash collision attack. Most applications do not implement these traits directly, but inherit from a library: Affected implementations include: org.http...