GHSA-m72m-mhq2-9p6c
Suggest an improvement- Source
- https://github.com/advisories/GHSA-m72m-mhq2-9p6c
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-m72m-mhq2-9p6c/GHSA-m72m-mhq2-9p6c.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-m72m-mhq2-9p6c
- Aliases
- Published
- 2021-08-23T19:42:38Z
- Modified
- 2024-02-19T05:33:22.013060Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Uncaught Exception in jsoup
- Details
-
Impact
What kind of vulnerability is it? Who is impacted? Those using jsoup to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack.
Patches
Has the problem been patched? What versions should users upgrade to? Users should upgrade to jsoup 1.14.2
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading? Users may rate limit input parsing. Users should limit the size of inputs based on system resources. Users should implement thread watchdogs to cap and timeout parse runtimes.
- References
-
- https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c
- https://nvd.nist.gov/vuln/detail/CVE-2021-37714
- https://github.com/jhy/jsoup
- https://jsoup.org/news/release-1.14.1
- https://jsoup.org/news/release-1.14.2
- https://lists.apache.org/thread.html/r215009dbf7467a9f6506d0c0024cb36cad30071010e62c9352cfaaf0@%3Cissues.maven.apache.org%3E
- https://lists.apache.org/thread.html/r377b93d79817ce649e9e68b3456e6f499747ef1643fa987b342e082e@%3Cissues.maven.apache.org%3E
- https://lists.apache.org/thread.html/r3d71f18adb78e50f626dde689161ca63d3b7491bd9718fcddfaecba7@%3Cissues.maven.apache.org%3E
- https://lists.apache.org/thread.html/r50e9c9466c592ca9d707a5dea549524d19e3287da08d8392f643960e@%3Cissues.maven.apache.org%3E
- https://lists.apache.org/thread.html/r685c5235235ad0c26e86d0ee987fb802c9675de6081dbf0516464e0b@%3Cnotifications.james.apache.org%3E
- https://lists.apache.org/thread.html/r97404676a5cf591988faedb887d64e278f522adcaa823d89ca69defe@%3Cnotifications.james.apache.org%3E
- https://lists.apache.org/thread.html/rc3354080fc67fb50b45b3c2d12dc4ca2a3c1c78dad3d3ba012c038aa@%3Cnotifications.james.apache.org%3E
- https://security.netapp.com/advisory/ntap-20220210-0022
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
Affected packages
Maven / org.jsoup:jsoup
Package
- Name
- org.jsoup:jsoup
- View open source insights on deps.dev
- Purl
- pkg:maven/org.jsoup/jsoup