CVE-2021-37714

jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.

CVSS v3.0 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:N/I:N/A:P

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
https://jsoup.org/news/release-1.14.1	Release Notes Vendor Advisory
https://jsoup.org/news/release-1.14.2	Release Notes Vendor Advisory
https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c	Third Party Advisory
https://lists.apache.org/thread.html/r685c5235235ad0c26e86d0ee987fb802c9675de6081dbf0516464e0b@%3Cnotifications.james.apache.org%3E	Mailing List Third Party Advisory
https://lists.apache.org/thread.html/rc3354080fc67fb50b45b3c2d12dc4ca2a3c1c78dad3d3ba012c038aa@%3Cnotifications.james.apache.org%3E	Mailing List Third Party Advisory
https://lists.apache.org/thread.html/r97404676a5cf591988faedb887d64e278f522adcaa823d89ca69defe@%3Cnotifications.james.apache.org%3E	Mailing List Third Party Advisory
https://lists.apache.org/thread.html/r50e9c9466c592ca9d707a5dea549524d19e3287da08d8392f643960e@%3Cissues.maven.apache.org%3E	Mailing List Third Party Advisory
https://lists.apache.org/thread.html/r215009dbf7467a9f6506d0c0024cb36cad30071010e62c9352cfaaf0@%3Cissues.maven.apache.org%3E	Mailing List Third Party Advisory
https://lists.apache.org/thread.html/r377b93d79817ce649e9e68b3456e6f499747ef1643fa987b342e082e@%3Cissues.maven.apache.org%3E	Mailing List Third Party Advisory
https://lists.apache.org/thread.html/r3d71f18adb78e50f626dde689161ca63d3b7491bd9718fcddfaecba7@%3Cissues.maven.apache.org%3E	Mailing List Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html	Patch Third Party Advisory
https://security.netapp.com/advisory/ntap-20220210-0022/	Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html	Patch Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:jsoup:jsoup:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*

Configuration 3 (hide)

OR	cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:::::::*
	cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:::::::*
	cpe:2.3:a:oracle:flexcube_universal_banking::::::::
	cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:::::::*
	cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:::::::*
	cpe:2.3:a:oracle:primavera_unifier:20.12:::::::*
	cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:::::::*
	cpe:2.3:o:oracle:communications_messaging_server:8.1:::::::*
	cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:::::::*
	cpe:2.3:a:oracle:primavera_unifier:21.12:::::::*
	cpe:2.3:a:oracle:banking_trade_finance:14.5:::::::*
	cpe:2.3:a:oracle:banking_treasury_management:14.5:::::::*
	cpe:2.3:a:oracle:flexcube_universal_banking:14.5:::::::*
	cpe:2.3:a:oracle:hospitality_token_proxy_service:19.2:::::::*
	cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation::::::::

Configuration 4 (hide)

cpe:2.3:a:netapp:management_services_for_element_software_and_netapp_hci:-:*:*:*:*:*:*:*

Configuration 5 (hide)

OR	cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.4.0:::::::*
	cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.3.0:::::::*
	cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:::::::*
	cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:::::::*
	cpe:2.3:a:oracle:stream_analytics::::::::
	cpe:2.3:a:oracle:stream_analytics:19c:::::::*

Information

Published : 2021-08-18 08:15

Updated : 2022-12-07 12:14

NVD link : CVE-2021-37714

Mitre link : CVE-2021-37714

JSON object : View

CWE

CWE-835

Loop with Unreachable Exit Condition ('Infinite Loop')

CWE-248

Uncaught Exception

Products Affected

oracle

webcenter_portal
communications_messaging_server
retail_customer_management_and_segmentation_foundation
financial_services_crime_and_compliance_management_studio
business_process_management_suite
primavera_unifier
banking_trade_finance
peoplesoft_enterprise_peopletools
flexcube_universal_banking
hospitality_token_proxy_service
banking_treasury_management
stream_analytics
middleware_common_libraries_and_tools

jsoup

jsoup

quarkus

quarkus

netapp

management_services_for_element_software_and_netapp_hci

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://jsoup.org/news/release-1.14.1", "name": "https://jsoup.org/news/release-1.14.1", "tags": ["Release Notes", "Vendor Advisory"], "refsource": "MISC"}, {"url": "https://jsoup.org/news/release-1.14.2", "name": "https://jsoup.org/news/release-1.14.2", "tags": ["Release Notes", "Vendor Advisory"], "refsource": "MISC"}, {"url": "https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c", "name": "https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c", "tags": ["Third Party Advisory"], "refsource": "CONFIRM"}, {"url": "https://lists.apache.org/thread.html/r685c5235235ad0c26e86d0ee987fb802c9675de6081dbf0516464e0b@%3Cnotifications.james.apache.org%3E", "name": "[james-notifications] 20210820 [GitHub] [james-project] chibenwa opened a new pull request #609: [UPGRADE] JSOUP 1.14.1 -> 1.14.2 to address CVE-2021-37714", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/rc3354080fc67fb50b45b3c2d12dc4ca2a3c1c78dad3d3ba012c038aa@%3Cnotifications.james.apache.org%3E", "name": "[james-notifications] 20210823 [GitHub] [james-project] chibenwa merged pull request #609: [UPGRADE] JSOUP 1.14.1 -> 1.14.2 to address CVE-2021-37714", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/r97404676a5cf591988faedb887d64e278f522adcaa823d89ca69defe@%3Cnotifications.james.apache.org%3E", "name": "[james-notifications] 20210823 [james-project] branch master updated: [UPGRADE] JSOUP 1.14.1 -> 1.14.2 to address CVE-2021-37714", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/r50e9c9466c592ca9d707a5dea549524d19e3287da08d8392f643960e@%3Cissues.maven.apache.org%3E", "name": "[maven-issues] 20210830 [jira] [Created] (WAGON-612) Update jsoup to >= 1.14.2 for fix security issue", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/r215009dbf7467a9f6506d0c0024cb36cad30071010e62c9352cfaaf0@%3Cissues.maven.apache.org%3E", "name": "[maven-issues] 20210901 [jira] [Created] (MNG-7227) Fix CVE-2021-37714 present in apache-maven", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/r377b93d79817ce649e9e68b3456e6f499747ef1643fa987b342e082e@%3Cissues.maven.apache.org%3E", "name": "[maven-issues] 20210901 [jira] [Commented] (MNG-7227) Fix CVE-2021-37714 present in apache-maven", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/r3d71f18adb78e50f626dde689161ca63d3b7491bd9718fcddfaecba7@%3Cissues.maven.apache.org%3E", "name": "[maven-issues] 20210901 [jira] [Updated] (MNG-7227) Fix CVE-2021-37714 present in apache-maven", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "MLIST"}, {"url": "https://www.oracle.com/security-alerts/cpujan2022.html", "name": "https://www.oracle.com/security-alerts/cpujan2022.html", "tags": ["Patch", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://security.netapp.com/advisory/ntap-20220210-0022/", "name": "https://security.netapp.com/advisory/ntap-20220210-0022/", "tags": ["Third Party Advisory"], "refsource": "CONFIRM"}, {"url": "https://www.oracle.com/security-alerts/cpuapr2022.html", "name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "tags": ["Patch", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://www.oracle.com/security-alerts/cpujul2022.html", "name": "N/A", "tags": ["Patch", "Third Party Advisory"], "refsource": "N/A"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-248"}, {"lang": "en", "value": "CWE-835"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-37714", "ASSIGNER": "security-advisories@github.com"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "severity": "MEDIUM", "acInsufInfo": false, "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}}, "publishedDate": "2021-08-18T15:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:jsoup:jsoup:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "1.14.2"}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "2.2.3"}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:flexcube_universal_banking:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "14.3.0", "versionStartIncluding": "14.0.0"}, {"cpe23Uri": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:primavera_unifier:21.12:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:banking_trade_finance:14.5:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:banking_treasury_management:14.5:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:flexcube_universal_banking:14.5:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:hospitality_token_proxy_service:19.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "19.0", "versionStartIncluding": "17.0"}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:netapp:management_services_for_element_software_and_netapp_hci:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.4.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.3.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:stream_analytics:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "19.1.0.0.6.4"}, {"cpe23Uri": "cpe:2.3:a:oracle:stream_analytics:19c:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2022-12-07T20:14Z"}

7.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

5.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

JSON object

Attach tags to CVE-2021-37714

7.5^/10

5.0^/10

Attach tags to `CVE-2021-37714`