CVE-2021-37714
Last modified
CVE-2021-37714 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. EPSS estimates a 6.87% chance of exploitation in the next 30 days.
Description
jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Jsoup | Jsoup | < 1.14.2 |
| Quarkus | Quarkus | <= 2.2.3 |
| Oracle | Banking Trade Finance | 14.5 |
| Oracle | Banking Treasury Management | 14.5 |
| Oracle | Business Process Management Suite | 12.2.1.3.0 |
| Oracle | Business Process Management Suite | 12.2.1.4.0 |
| Oracle | Flexcube Universal Banking | >= 14.0.0, <= 14.3.0 |
| Oracle | Flexcube Universal Banking | 14.5 |
| Oracle | Hospitality Token Proxy Service | 19.2 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.58 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.59 |
| Oracle | Primavera Unifier | 20.12 |
| Oracle | Primavera Unifier | 21.12 |
| Oracle | Retail Customer Management And Segmentation Foundation | >= 17.0, <= 19.0 |
| Oracle | Webcenter Portal | 12.2.1.3.0 |
| Oracle | Webcenter Portal | 12.2.1.4.0 |
| Oracle | Communications Messaging Server | 8.1 |
| Netapp | Management Services For Element Software And Netapp Hci | All versions |
| Oracle | Financial Services Crime And Compliance Management Studio | 8.0.8.2.0 |
| Oracle | Financial Services Crime And Compliance Management Studio | 8.0.8.3.0 |
| Oracle | Middleware Common Libraries And Tools | 12.2.1.3.0 |
| Oracle | Middleware Common Libraries And Tools | 12.2.1.4.0 |
| Oracle | Stream Analytics | < 19.1.0.0.6.4 |
| Oracle | Stream Analytics | 19c |
References
- https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6cThird Party Advisory
- https://jsoup.org/news/release-1.14.1Release Notes, Vendor Advisory
- https://jsoup.org/news/release-1.14.2Release Notes, Vendor Advisory
- https://security.netapp.com/advisory/ntap-20220210-0022/Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
- https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6cThird Party Advisory
- https://jsoup.org/news/release-1.14.1Release Notes, Vendor Advisory
- https://jsoup.org/news/release-1.14.2Release Notes, Vendor Advisory
- https://security.netapp.com/advisory/ntap-20220210-0022/Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-37714?
How severe is CVE-2021-37714?
How do I fix CVE-2021-37714?
Are you affected by CVE-2021-37714?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST