Homepage
About Snyk

net.liftweb:lift-json_2.9.1@2.4-RC1 vulnerabilities

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the net.liftweb:lift-json_2.9.1 package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
XML External Entity (XXE) Injection

net.liftweb:lift-json_2.9.1 Lift 2.5.1 was found to be vulnerable to XML External Entity attacks, which can leak private files through your application when parsing certain types of XML. In the process of communicating the vulnerability to Typesafe, they referred us to a more-restricted version of XML parsing used to prevent additional vulnerabilities like the billion laughs vulnerability and its sibling quadratic blowup vulnerability.

[,2.5.3)
  • M
Information Exposure

net.liftweb:lift-json_2.9.1 The JsonParser class in json/JsonParser.scala in Lift before 2.5 interprets a certain end-index value as a length value, which allows remote authenticated users to obtain sensitive information from other users' sessions via invalid input data containing a < (less than) character.

[,2.5-RC3)
Go back to all versions of this package