Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW03Mm0tbWhxMi05cDZj
Uncaught Exception in jsoup
Impact
What kind of vulnerability is it? Who is impacted?
Those using jsoup to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack.
Patches
Has the problem been patched? What versions should users upgrade to?
Users should upgrade to jsoup 1.14.2
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Users may rate limit input parsing. Users should limit the size of inputs based on system resources. Users should implement thread watchdogs to cap and timeout parse runtimes.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW03Mm0tbWhxMi05cDZj
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: over 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-m72m-mhq2-9p6c, CVE-2021-37714
References:
- https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c
- https://nvd.nist.gov/vuln/detail/CVE-2021-37714
- https://jsoup.org/news/release-1.14.1
- https://jsoup.org/news/release-1.14.2
- https://lists.apache.org/thread.html/r685c5235235ad0c26e86d0ee987fb802c9675de6081dbf0516464e0b@%3Cnotifications.james.apache.org%3E
- https://lists.apache.org/thread.html/r97404676a5cf591988faedb887d64e278f522adcaa823d89ca69defe@%3Cnotifications.james.apache.org%3E
- https://lists.apache.org/thread.html/rc3354080fc67fb50b45b3c2d12dc4ca2a3c1c78dad3d3ba012c038aa@%3Cnotifications.james.apache.org%3E
- https://lists.apache.org/thread.html/r50e9c9466c592ca9d707a5dea549524d19e3287da08d8392f643960e@%3Cissues.maven.apache.org%3E
- https://lists.apache.org/thread.html/r215009dbf7467a9f6506d0c0024cb36cad30071010e62c9352cfaaf0@%3Cissues.maven.apache.org%3E
- https://lists.apache.org/thread.html/r377b93d79817ce649e9e68b3456e6f499747ef1643fa987b342e082e@%3Cissues.maven.apache.org%3E
- https://lists.apache.org/thread.html/r3d71f18adb78e50f626dde689161ca63d3b7491bd9718fcddfaecba7@%3Cissues.maven.apache.org%3E
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://security.netapp.com/advisory/ntap-20220210-0022/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://github.com/advisories/GHSA-m72m-mhq2-9p6c
Blast Radius: 36.1
Affected Packages
maven:org.jsoup:jsoup
Dependent packages: 2,627Dependent repositories: 65,058
Downloads:
Affected Version Ranges: < 1.14.2
Fixed in: 1.14.2
All affected versions: 0.2.2, 0.3.1, 1.1.1, 1.2.1, 1.2.2, 1.2.3, 1.3.1, 1.3.2, 1.3.3, 1.4.1, 1.5.1, 1.5.2, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.7.1, 1.7.2, 1.7.3, 1.8.1, 1.8.2, 1.8.3, 1.9.1, 1.9.2, 1.10.1, 1.10.2, 1.10.3, 1.11.1, 1.11.2, 1.11.3, 1.12.1, 1.12.2, 1.13.1, 1.14.1
All unaffected versions: 1.14.2, 1.14.3, 1.15.1, 1.15.2, 1.15.3, 1.15.4, 1.16.1, 1.16.2, 1.17.1, 1.17.2