Debian Bug report logs -
#1018931
jsoup: CVE-2022-36033: The jsoup cleaner may incorrectly sanitize crafted XSS attempts if SafeList.preserveRelativeLinks is enabled
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#1018931; Package src:jsoup.
(Fri, 02 Sep 2022 06:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Fri, 02 Sep 2022 06:45:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: jsoup
Version: 1.15.2-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for jsoup.
CVE-2022-36033[0]:
| jsoup is a Java HTML parser, built for HTML editing, cleaning,
| scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly
| sanitize HTML including `javascript:` URL expressions, which could
| allow XSS attacks when a reader subsequently clicks that link. If the
| non-default `SafeList.preserveRelativeLinks` option is enabled, HTML
| including `javascript:` URLs that have been crafted with control
| characters will not be sanitized. If the site that this HTML is
| published on does not set a Content Security Policy, an XSS attack is
| then possible. This issue is patched in jsoup 1.15.3. Users should
| upgrade to this version. Additionally, as the unsanitized input may
| have been persisted, old content should be cleaned again using the
| updated version. To remediate this issue without immediately
| upgrading: - disable `SafeList.preserveRelativeLinks`, which will
| rewrite input URLs as absolute URLs - ensure an appropriate [Content
| Security Policy](https://developer.mozilla.org/en-
| US/docs/Web/HTTP/CSP) is defined. (This should be used regardless of
| upgrading, as a defence-in-depth best practice.)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-36033
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36033
[1] https://github.com/jhy/jsoup/security/advisories/GHSA-gp7f-rwcx-9369
[2] https://github.com/jhy/jsoup/commit/4ea768d96b3d232e63edef9594766d44597b3882
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Sep 2 13:19:27 2022;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon