com.storm-enroute:scalameter_2.12.0-RC1 (>=0.8 <=0.8.1), com.typesafe.akka:akka-http-spray-json-experimental_2.12.0-RC1 (>=2.4.10 <=2.4.11) +1 more potentially affected by CVE-2018-18855 via io.spray:spray-json_2.12.0-RC1 (=1.3.2)

io.spray:spray-json2.12.0-RC1 MAVEN version =1.3.2 is affected by a known vulnerability. The following packages have a transitive dependency on io.spray:spray-json2.12.0-RC1 and may be impacted: - com.storm-enroute:scalameter2.12.0-RC1 =0.8, =2.4.10, =2.4.11 - org.spire-math:jawn-spray2.12.0-RC1...

org.typelevel:jawn-ast_3.0.0-M1 (>=1.0.1 <=1.0.2), org.typelevel:jawn-json4s_3.0.0-M1 (>=1.0.1 <=1.0.2) +3 more potentially affected by CVE-2022-21653 via org.typelevel:jawn-parser_3.0.0-M1 (>=1.0.1 <=1.0.2)

org.typelevel:jawn-parser3.0.0-M1 MAVEN version =1.0.1, =1.0.1, =1.0.1, =1.0.1, =1.0.1, =1.0.1, =1.0.2 Source cves: CVE-2022-21653 Source advisory: OSV:GHSA-VC89-HCCF-RQ55...

io.argonaut:argonaut-jawn_2.13.0-RC1 (=6.2.3), io.circe:circe-iteratee_2.13.0-RC1 (=0.13.0-M1) +8 more potentially affected by CVE-2022-21653 via org.typelevel:jawn-parser_2.13.0-RC1 (=0.14.2)

org.typelevel:jawn-parser2.13.0-RC1 MAVEN version =0.14.2 is affected by a known vulnerability. The following packages have a transitive dependency on org.typelevel:jawn-parser2.13.0-RC1 and may be impacted: - io.argonaut:argonaut-jawn2.13.0-RC1 =6.2.3 - io.circe:circe-iteratee2.13.0-RC1 =0.13.0-...

org.typelevel:jawn-ast_2.11 (>=1.0.0-RC1 <=1.0.0-RC2), org.typelevel:jawn-json4s_2.11 (>=1.0.0-RC1 <=1.0.0-RC2) +3 more potentially affected by CVE-2022-21653 via org.typelevel:jawn-parser_2.11 (>=1.0.0-RC1 <=1.0.0-RC2)

org.typelevel:jawn-parser2.11 MAVEN version =1.0.0-RC1, =1.0.0-RC1, =1.0.0-RC1, =1.0.0-RC1, =1.0.0-RC1, =1.0.0-RC1, =1.0.0-RC2 Source cves: CVE-2022-21653 Source advisory: OSV:GHSA-VC89-HCCF-RQ55...

io.argonaut:argonaut-jawn_2.13.0-RC3 (=6.2.3), org.typelevel:jawn-ast_2.13.0-RC3 (=0.14.2) +3 more potentially affected by CVE-2022-21653 via org.typelevel:jawn-parser_2.13.0-RC3 (=0.14.2)

org.typelevel:jawn-parser2.13.0-RC3 MAVEN version =0.14.2 is affected by a known vulnerability. The following packages have a transitive dependency on org.typelevel:jawn-parser2.13.0-RC3 and may be impacted: - io.argonaut:argonaut-jawn2.13.0-RC3 =6.2.3 - org.typelevel:jawn-ast2.13.0-RC3 =0.14.2 -...

org.typelevel:jawn-ast_0.27 (>=1.0.0 <=1.0.2), org.typelevel:jawn-json4s_0.27 (>=1.0.1 <=1.0.2) +3 more potentially affected by CVE-2022-21653 via org.typelevel:jawn-parser_0.27 (>=1.0.0 <=1.0.2)

org.typelevel:jawn-parser0.27 MAVEN version =1.0.0, =1.0.0, =1.0.1, =1.0.1, =1.0.1, =1.0.0, =1.0.2 Source cves: CVE-2022-21653 Source advisory: OSV:GHSA-VC89-HCCF-RQ55...

Hash collision in typelevel jawn

Impact Extenders of the org.typelevel.jawn.SimpleFacade and org.typelevel.jawn.MutableFacade who don't override objectContext are vulnerable to a hash collision attack. Most applications do not implement these traits directly, but inherit from a library: Affected implementations include: org.http...