Common Weakness Enumeration

CWE-326

Allowed-with-Review

Inadequate Encryption Strength

Abstraction: Class · Status: Draft

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

631 vulnerabilities reference this CWE, most recent first.

GHSA-V59H-H3V9-HMM2

Vulnerability from github – Published: 2022-05-17 04:17 – Updated: 2025-09-06 00:30
VLAI
Details

The Clorius Controls Java web client before 01.00.0009g allows remote attackers to discover credentials by sniffing the network for cleartext-equivalent traffic.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2014-9199"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2015-01-17T02:59:00Z",
    "severity": "MODERATE"
  },
  "details": "The Clorius Controls Java web client before 01.00.0009g allows remote attackers to discover credentials by sniffing the network for cleartext-equivalent traffic.",
  "id": "GHSA-v59h-h3v9-hmm2",
  "modified": "2025-09-06T00:30:24Z",
  "published": "2022-05-17T04:17:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-9199"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-013-02"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-15-013-02"
    },
    {
      "type": "WEB",
      "url": "http://www.cloriuscontrols.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-V686-HWW2-HFFW

Vulnerability from github – Published: 2023-07-13 00:30 – Updated: 2024-04-04 06:05
VLAI
Details

In openMmapStream of AudioFlinger.cpp, there is a possible way to record audio without displaying the microphone privacy indicator due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-20942"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-13T00:15:23Z",
    "severity": "MODERATE"
  },
  "details": "In openMmapStream of AudioFlinger.cpp, there is a possible way to record audio without displaying the microphone privacy indicator due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.\n\n",
  "id": "GHSA-v686-hww2-hffw",
  "modified": "2024-04-04T06:05:10Z",
  "published": "2023-07-13T00:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20942"
    },
    {
      "type": "WEB",
      "url": "https://android.googlesource.com/platform/frameworks/av/+/770b45c3c1619cf4008b89e7a0f4392bf2224bbc"
    },
    {
      "type": "WEB",
      "url": "https://android.googlesource.com/platform/frameworks/av/+/b072419650958c41c87d2baa572dc2fe6da9ea6b"
    },
    {
      "type": "WEB",
      "url": "https://android.googlesource.com/platform/frameworks/av/+/bae3b00a5873d1562679a1289fd8490178cfe064"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2023-07-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V68J-53VW-J6RW

Vulnerability from github – Published: 2025-02-11 12:30 – Updated: 2025-02-11 12:30
VLAI
Details

A vulnerability has been identified in APOGEE PXC Series (BACnet) (All versions), APOGEE PXC Series (P2 Ethernet) (All versions), TALON TC Series (BACnet) (All versions). Affected devices contain a weak encryption mechanism based on a hard-coded key. This could allow an attacker to guess or decrypt the password from the cyphertext.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-54089"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-11T11:15:15Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability has been identified in APOGEE PXC Series (BACnet) (All versions), APOGEE PXC Series (P2 Ethernet) (All versions), TALON TC Series (BACnet) (All versions). Affected devices contain a weak encryption mechanism based on a hard-coded key.\nThis could allow an attacker to guess or decrypt the password from the cyphertext.",
  "id": "GHSA-v68j-53vw-j6rw",
  "modified": "2025-02-11T12:30:54Z",
  "published": "2025-02-11T12:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54089"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-615116.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-V69J-XJP2-JHM8

Vulnerability from github – Published: 2021-12-11 00:00 – Updated: 2022-07-13 00:01
VLAI
Details

An issue was discovered on Digi TransPort devices through 2021-07-21. An authenticated attacker may load customized firmware (because the bootloader does not verify that it is authentic), changing the behavior of the gateway.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-37188"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-10T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered on Digi TransPort devices through 2021-07-21. An authenticated attacker may load customized firmware (because the bootloader does not verify that it is authentic), changing the behavior of the gateway.",
  "id": "GHSA-v69j-xjp2-jhm8",
  "modified": "2022-07-13T00:01:33Z",
  "published": "2021-12-11T00:00:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37188"
    },
    {
      "type": "WEB",
      "url": "https://raw.githubusercontent.com/reidmefirst/vuln-disclosure/main/2021-04.txt"
    },
    {
      "type": "WEB",
      "url": "https://www.digi.com/search/results?q=transport"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V7HP-7J8C-XRP4

Vulnerability from github – Published: 2025-05-13 21:30 – Updated: 2025-05-13 21:30
VLAI
Details

Inadequate encryption strength for some Edge Orchestrator software for Intel(R) Tiber™ Edge Platform may allow an authenticated user to potentially enable escalation of privilege via adjacent access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-22446"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-13T21:16:09Z",
    "severity": "MODERATE"
  },
  "details": "Inadequate encryption strength for some Edge Orchestrator software for Intel(R) Tiber\u2122 Edge Platform may allow an authenticated user to potentially enable escalation of privilege via adjacent access.",
  "id": "GHSA-v7hp-7j8c-xrp4",
  "modified": "2025-05-13T21:30:56Z",
  "published": "2025-05-13T21:30:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22446"
    },
    {
      "type": "WEB",
      "url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01239.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-V7PR-9GFG-7HPC

Vulnerability from github – Published: 2022-07-26 00:01 – Updated: 2023-07-11 15:31
VLAI
Details

LibreOffice supports the storage of passwords for web connections in the user’s configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in LibreOffice existed where the required initialization vector for encryption was always the same which weakens the security of the encryption making them vulnerable if an attacker has access to the user's configuration data. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.7; 7.3 versions prior to 7.3.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-26306"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326",
      "CWE-330"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-25T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "LibreOffice supports the storage of passwords for web connections in the user\u2019s configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in LibreOffice existed where the required initialization vector for encryption was always the same which weakens the security of the encryption making them vulnerable if an attacker has access to the user\u0027s configuration data. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.7; 7.3 versions prior to 7.3.1.",
  "id": "GHSA-v7pr-9gfg-7hpc",
  "modified": "2023-07-11T15:31:08Z",
  "published": "2022-07-26T00:01:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26306"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00022.html"
    },
    {
      "type": "WEB",
      "url": "https://www.libreoffice.org/about-us/security/advisories/cve-2022-26306"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/08/13/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V7WJ-223X-4H9H

Vulnerability from github – Published: 2022-05-13 00:00 – Updated: 2022-05-24 00:01
VLAI
Details

An information disclosure vulnerability exists in the router configuration export functionality of InHand Networks InRouter302 V3.5.4. A specially-crafted network request can lead to increased privileges. An attacker can send an HTTP request to trigger this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-26020"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-321",
      "CWE-326",
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-12T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An information disclosure vulnerability exists in the router configuration export functionality of InHand Networks InRouter302 V3.5.4. A specially-crafted network request can lead to increased privileges. An attacker can send an HTTP request to trigger this vulnerability.",
  "id": "GHSA-v7wj-223x-4h9h",
  "modified": "2022-05-24T00:01:32Z",
  "published": "2022-05-13T00:00:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26020"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1474"
    },
    {
      "type": "WEB",
      "url": "https://www.inhandnetworks.com/upload/attachment/202205/10/InHand-PSA-2022-01.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V8RC-QJ98-2PV7

Vulnerability from github – Published: 2023-12-05 00:31 – Updated: 2023-12-08 18:30
VLAI
Details

Weak encryption mechanisms in RFID Tags in Yale IA-210 Alarm v1.0 allows attackers to create a cloned tag via physical proximity to the original.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-26942"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-05T00:15:08Z",
    "severity": "MODERATE"
  },
  "details": "Weak encryption mechanisms in RFID Tags in Yale IA-210 Alarm v1.0 allows attackers to create a cloned tag via physical proximity to the original.",
  "id": "GHSA-v8rc-qj98-2pv7",
  "modified": "2023-12-08T18:30:41Z",
  "published": "2023-12-05T00:31:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26942"
    },
    {
      "type": "WEB",
      "url": "https://arxiv.org/abs/2312.00021"
    },
    {
      "type": "WEB",
      "url": "https://www.researchgate.net/publication/375759408_Technical_Report_-_CVE-2022-46480_CVE-2023-26941_CVE-2023-26942_and_CVE-2023-26943#fullTextFileContent"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V9VJ-9PXV-MR2W

Vulnerability from github – Published: 2023-10-20 00:30 – Updated: 2024-09-26 14:11
VLAI
Summary
mycli has Inadequate Encryption Strength
Details

Inadequate encryption strength in mycli 1.27.0 allows attackers to view sensitive information via /mycli/config.py.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "mycli"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.27.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-44690"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-20T22:31:26Z",
    "nvd_published_at": "2023-10-19T22:15:09Z",
    "severity": "MODERATE"
  },
  "details": "Inadequate encryption strength in mycli 1.27.0 allows attackers to view sensitive information via `/mycli/config.py`.",
  "id": "GHSA-v9vj-9pxv-mr2w",
  "modified": "2024-09-26T14:11:06Z",
  "published": "2023-10-20T00:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44690"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dbcli/mycli/issues/1131"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dbcli/mycli"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/mycli/PYSEC-2023-213.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "mycli has Inadequate Encryption Strength"
}

GHSA-VC89-HCCF-RQ55

Vulnerability from github – Published: 2022-01-06 23:48 – Updated: 2025-12-16 22:29
VLAI
Summary
Hash collision in typelevel jawn
Details

Impact

Extenders of the org.typelevel.jawn.SimpleFacade and org.typelevel.jawn.MutableFacade who don't override objectContext() are vulnerable to a hash collision attack. Most applications do not implement these traits directly, but inherit from a library:

Affected implementations include: * org.http4s :: http4s-play-json * org.typelevel :: jawn-ast (< 0.8.0) * org.typelevel :: jawn-play (discontinued) * org.typelevel :: jawn-rojoma (discontinued) * org.typelevel :: jawn-spray (discontinued)

Unaffected implementations include: * io.argonaut :: argonaut-jawn * io.circe :: circe-parser * org.typelevel :: jawn-ast (>= 0.8.0) * org.typelevel :: jawn-json4s (discontinued) * org.typelevel :: jawn-argonaut (discontinued)

Patches

jawn-parser-1.3.2 fixes the issue.

Workarounds

Override objectContext() to use a collision-safe collection. See the patch for an example in both SimpleFacade and MutableFacade.

References

  • https://github.com/typelevel/jawn/pull/390

Credits

  • @kag0, for the report and the patch

For more information

If you have any questions or comments about this advisory: * Open an issue in typelevel/jawn * E-mail a maintainer: * @rossabaker

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 1.3.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.typelevel:jawn-parser_0.25"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 1.3.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.typelevel:jawn-parserg"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 1.3.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.typelevel:jawn-parser_0.27"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 1.3.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.typelevel:jawn-parser_2.10"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 1.3.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.typelevel:jawn-parser_2.11"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.typelevel:jawn-parser_2.12"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.typelevel:jawn-parser_2.13"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 1.3.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.typelevel:jawn-parser_2.13.0-M5"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 1.3.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.typelevel:jawn-parser_2.13.0-RC1"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 1.3.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.typelevel:jawn-parser_2.13.0-RC2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 1.3.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.typelevel:jawn-parser_2.13.0-RC3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.typelevel:jawn-parser_3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 1.3.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.typelevel:jawn-parser_3.0.0-M1"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 1.3.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.typelevel:jawn-parser_3.0.0-M2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 1.3.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.typelevel:jawn-parser_3.0.0-M3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 1.3.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.typelevel:jawn-parser_3.0.0-RC1"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 1.3.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.typelevel:jawn-parser_3.0.0-RC2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 1.3.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.typelevel:jawn-parser_3.0.0-RC3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-21653"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-06T20:19:30Z",
    "nvd_published_at": "2022-01-05T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nExtenders of the `org.typelevel.jawn.SimpleFacade` and `org.typelevel.jawn.MutableFacade` who don\u0027t override `objectContext()` are vulnerable to a hash collision attack.  Most applications do not implement these traits directly, but inherit from a library:\n\nAffected implementations include:\n* `org.http4s` :: `http4s-play-json`\n* `org.typelevel :: jawn-ast` (\u003c 0.8.0)\n* `org.typelevel :: jawn-play` (discontinued)\n* `org.typelevel :: jawn-rojoma` (discontinued)\n* `org.typelevel :: jawn-spray` (discontinued)\n\nUnaffected implementations include:\n* `io.argonaut :: argonaut-jawn`\n* `io.circe :: circe-parser`\n* `org.typelevel :: jawn-ast` (\u003e= 0.8.0)\n* `org.typelevel :: jawn-json4s` (discontinued)\n* `org.typelevel :: jawn-argonaut` (discontinued)\n\n### Patches\n\n`jawn-parser-1.3.2` fixes the issue.\n\n### Workarounds\n\nOverride `objectContext()` to use a collision-safe collection.  See [the patch](https://github.com/typelevel/jawn/pull/390/files) for an example in both `SimpleFacade` and `MutableFacade`.\n\n### References\n\n* https://github.com/typelevel/jawn/pull/390\n\n### Credits\n\n* @kag0, for the report and the patch\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [typelevel/jawn](https://github.com/typelevel/jawn)\n* E-mail a maintainer:\n  * [@rossabaker](mailto:ross@rossabaker.com)",
  "id": "GHSA-vc89-hccf-rq55",
  "modified": "2025-12-16T22:29:13Z",
  "published": "2022-01-06T23:48:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/typelevel/jawn/security/advisories/GHSA-vc89-hccf-rq55"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21653"
    },
    {
      "type": "WEB",
      "url": "https://github.com/typelevel/jawn/pull/390"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/typelevel/jawn"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Hash collision in typelevel jawn"
}

Mitigation
Architecture and Design

Use an encryption scheme that is currently considered to be strong by experts in the field.

CAPEC-112: Brute Force

In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.

CAPEC-192: Protocol Analysis

An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network.

CAPEC-20: Encryption Brute Forcing

An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.