CVE-2021-37714 – org.jsoup:jsoup

Package

Manager: maven
Name: org.jsoup:jsoup
Vulnerable Version: >=0 <1.14.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00505 pctl0.65219

Details

Uncaught Exception in jsoup ### Impact _What kind of vulnerability is it? Who is impacted?_ Those using jsoup to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. ### Patches _Has the problem been patched? What versions should users upgrade to?_ Users should upgrade to jsoup 1.14.2 ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ Users may rate limit input parsing. Users should limit the size of inputs based on system resources. Users should implement thread watchdogs to cap and timeout parse runtimes.

Metadata

Created: 2021-08-23T19:42:38Z
Modified: 2022-02-08T20:59:16Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-m72m-mhq2-9p6c/GHSA-m72m-mhq2-9p6c.json
CWE IDs: ["CWE-248", "CWE-835"]
Alternative ID: GHSA-m72m-mhq2-9p6c
Finding: F138
Auto approve: 1