Bugzilla – Bug 1189749
VUL-0: CVE-2021-37714: jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck
Last modified: 2024-06-10 12:09:51 UTC
rh#1995259 jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes. References: https://jsoup.org/news/release-1.14.1 https://jsoup.org/news/release-1.14.2 https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c References: https://bugzilla.redhat.com/show_bug.cgi?id=1995259 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-37714 https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37714 https://jsoup.org/news/release-1.14.2 https://jsoup.org/news/release-1.14.1
tracking as affected: - SUSE:SLE-15-SP2:Update/jsoup also for relevant for openSUSE:Factory
This is an autogenerated message for OBS integration: This bug (1189749) was mentioned in https://build.opensuse.org/request/show/914520 Factory / jsr-305 https://build.opensuse.org/request/show/914521 Factory / jsoup
Submission has been made. This is now in security team's hands
SUSE-SU-2022:1265-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1189749 CVE References: CVE-2021-37714 JIRA References: Sources used: openSUSE Leap 15.4 (src): jsoup-1.14.2-150200.3.3.1, jsr-305-3.0.2-150200.3.3.1 openSUSE Leap 15.3 (src): jsoup-1.14.2-150200.3.3.1, jsr-305-3.0.2-150200.3.3.1 SUSE Manager Server 4.1 (src): jsoup-1.14.2-150200.3.3.1, jsr-305-3.0.2-150200.3.3.1 SUSE Manager Retail Branch Server 4.1 (src): jsoup-1.14.2-150200.3.3.1, jsr-305-3.0.2-150200.3.3.1 SUSE Manager Proxy 4.1 (src): jsoup-1.14.2-150200.3.3.1, jsr-305-3.0.2-150200.3.3.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): jsoup-1.14.2-150200.3.3.1, jsr-305-3.0.2-150200.3.3.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): jsoup-1.14.2-150200.3.3.1, jsr-305-3.0.2-150200.3.3.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): jsoup-1.14.2-150200.3.3.1, jsr-305-3.0.2-150200.3.3.1 SUSE Linux Enterprise Realtime Extension 15-SP2 (src): jsoup-1.14.2-150200.3.3.1, jsr-305-3.0.2-150200.3.3.1 SUSE Linux Enterprise Module for Development Tools 15-SP4 (src): jsoup-1.14.2-150200.3.3.1, jsr-305-3.0.2-150200.3.3.1 SUSE Linux Enterprise Module for Development Tools 15-SP3 (src): jsoup-1.14.2-150200.3.3.1, jsr-305-3.0.2-150200.3.3.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): jsoup-1.14.2-150200.3.3.1, jsr-305-3.0.2-150200.3.3.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): jsoup-1.14.2-150200.3.3.1, jsr-305-3.0.2-150200.3.3.1 SUSE Enterprise Storage 7 (src): jsoup-1.14.2-150200.3.3.1, jsr-305-3.0.2-150200.3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
All done, closing.