CVE-2021-37714

EUVD-2021-1791
jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.
Infinite Loop
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
GitHub_MCNA
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 88%
Affected Products (NVD)
VendorProductVersion
jsoupjsoup
𝑥
< 1.14.2
quarkusquarkus
𝑥
≤ 2.2.3
oraclebanking_trade_finance
14.5
oraclebanking_treasury_management
14.5
oraclebusiness_process_management_suite
12.2.1.3.0
oraclebusiness_process_management_suite
12.2.1.4.0
oracleflexcube_universal_banking
14.0.0 ≤
𝑥
≤ 14.3.0
oracleflexcube_universal_banking
14.5
oraclehospitality_token_proxy_service
19.2
oraclepeoplesoft_enterprise_peopletools
8.58
oraclepeoplesoft_enterprise_peopletools
8.59
oracleprimavera_unifier
20.12
oracleprimavera_unifier
21.12
oracleretail_customer_management_and_segmentation_foundation
17.0 ≤
𝑥
≤ 19.0
oraclewebcenter_portal
12.2.1.3.0
oraclewebcenter_portal
12.2.1.4.0
oraclecommunications_messaging_server
8.1
netappmanagement_services_for_element_software_and_netapp_hci
-
oraclefinancial_services_crime_and_compliance_management_studio
8.0.8.2.0
oraclefinancial_services_crime_and_compliance_management_studio
8.0.8.3.0
oraclemiddleware_common_libraries_and_tools
12.2.1.3.0
oraclemiddleware_common_libraries_and_tools
12.2.1.4.0
oraclestream_analytics
𝑥
< 19.1.0.0.6.4
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
jsoup
bookworm
1.15.3-1
fixed
bullseye
no-dsa
buster
no-dsa
sid
1.15.3-1
fixed
stretch
no-dsa
trixie
1.15.3-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
jsoup
bionic
needs-triage
focal
needs-triage
hirsute
ignored
impish
ignored
jammy
needs-triage
kinetic
ignored
lunar
not-affected
mantic
not-affected
noble
not-affected
trusty
needs-triage
xenial
needs-triage
Common Weakness Enumeration
References
https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c
https://jsoup.org/news/release-1.14.1
https://jsoup.org/news/release-1.14.2
https://lists.apache.org/thread.html/r215009dbf7467a9f6506d0c0024cb36cad30071010e62c9352cfaaf0%40%3Cissues.maven.apache.org%3E
https://lists.apache.org/thread.html/r377b93d79817ce649e9e68b3456e6f499747ef1643fa987b342e082e%40%3Cissues.maven.apache.org%3E
https://lists.apache.org/thread.html/r3d71f18adb78e50f626dde689161ca63d3b7491bd9718fcddfaecba7%40%3Cissues.maven.apache.org%3E
https://lists.apache.org/thread.html/r50e9c9466c592ca9d707a5dea549524d19e3287da08d8392f643960e%40%3Cissues.maven.apache.org%3E
https://lists.apache.org/thread.html/r685c5235235ad0c26e86d0ee987fb802c9675de6081dbf0516464e0b%40%3Cnotifications.james.apache.org%3E
https://lists.apache.org/thread.html/r97404676a5cf591988faedb887d64e278f522adcaa823d89ca69defe%40%3Cnotifications.james.apache.org%3E
https://lists.apache.org/thread.html/rc3354080fc67fb50b45b3c2d12dc4ca2a3c1c78dad3d3ba012c038aa%40%3Cnotifications.james.apache.org%3E
https://security.netapp.com/advisory/ntap-20220210-0022/
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c
https://jsoup.org/news/release-1.14.1
https://jsoup.org/news/release-1.14.2
https://lists.apache.org/thread.html/r215009dbf7467a9f6506d0c0024cb36cad30071010e62c9352cfaaf0%40%3Cissues.maven.apache.org%3E
https://lists.apache.org/thread.html/r377b93d79817ce649e9e68b3456e6f499747ef1643fa987b342e082e%40%3Cissues.maven.apache.org%3E
https://lists.apache.org/thread.html/r3d71f18adb78e50f626dde689161ca63d3b7491bd9718fcddfaecba7%40%3Cissues.maven.apache.org%3E
https://lists.apache.org/thread.html/r50e9c9466c592ca9d707a5dea549524d19e3287da08d8392f643960e%40%3Cissues.maven.apache.org%3E
https://lists.apache.org/thread.html/r685c5235235ad0c26e86d0ee987fb802c9675de6081dbf0516464e0b%40%3Cnotifications.james.apache.org%3E
https://lists.apache.org/thread.html/r97404676a5cf591988faedb887d64e278f522adcaa823d89ca69defe%40%3Cnotifications.james.apache.org%3E
https://lists.apache.org/thread.html/rc3354080fc67fb50b45b3c2d12dc4ca2a3c1c78dad3d3ba012c038aa%40%3Cnotifications.james.apache.org%3E
https://security.netapp.com/advisory/ntap-20220210-0022/
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2022.html