Vulnerability Description
jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jsoup | Jsoup | < 1.14.2 |
| Quarkus | Quarkus | <= 2.2.3 |
| Oracle | Banking Trade Finance | 14.5 |
| Oracle | Banking Treasury Management | 14.5 |
| Oracle | Business Process Management Suite | 12.2.1.3.0 |
| Oracle | Flexcube Universal Banking | >= 14.0.0, <= 14.3.0 |
| Oracle | Hospitality Token Proxy Service | 19.2 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.58 |
| Oracle | Primavera Unifier | 20.12 |
| Oracle | Retail Customer Management And Segmentation Foundation | >= 17.0, <= 19.0 |
| Oracle | Webcenter Portal | 12.2.1.3.0 |
| Oracle | Communications Messaging Server | 8.1 |
| Netapp | Management Services For Element Software And Netapp Hci | - |
| Oracle | Financial Services Crime And Compliance Management Studio | 8.0.8.2.0 |
| Oracle | Middleware Common Libraries And Tools | 12.2.1.3.0 |
| Oracle | Stream Analytics | < 19.1.0.0.6.4 |
Related Weaknesses (CWE)
References
- https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6cThird Party Advisory
- https://jsoup.org/news/release-1.14.1Release NotesVendor Advisory
- https://jsoup.org/news/release-1.14.2Release NotesVendor Advisory
- https://lists.apache.org/thread.html/r215009dbf7467a9f6506d0c0024cb36cad30071010
- https://lists.apache.org/thread.html/r377b93d79817ce649e9e68b3456e6f499747ef1643
- https://lists.apache.org/thread.html/r3d71f18adb78e50f626dde689161ca63d3b7491bd9
- https://lists.apache.org/thread.html/r50e9c9466c592ca9d707a5dea549524d19e3287da0
- https://lists.apache.org/thread.html/r685c5235235ad0c26e86d0ee987fb802c9675de608
- https://lists.apache.org/thread.html/r97404676a5cf591988faedb887d64e278f522adcaa
- https://lists.apache.org/thread.html/rc3354080fc67fb50b45b3c2d12dc4ca2a3c1c78dad
- https://security.netapp.com/advisory/ntap-20220210-0022/Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory
- https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6cThird Party Advisory
FAQ
What is CVE-2021-37714?
CVE-2021-37714 is a vulnerability with a CVSS score of 7.5 (HIGH). jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, ...
How severe is CVE-2021-37714?
CVE-2021-37714 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-37714?
Check the references section above for vendor advisories and patch information. Affected products include: Jsoup Jsoup, Quarkus Quarkus, Oracle Banking Trade Finance, Oracle Banking Treasury Management, Oracle Business Process Management Suite.