7.5
CVSSv3

CVE-2021-37714

CVSSv4: NA | CVSSv3: 7.5 | CVSSv2: 5 | VMScore: 850 | EPSS: 0.00706 | KEV: Not Included
Published: 18/08/2021 Updated: 21/11/2024

Vulnerability Summary

jsoup is a Java library for working with HTML. Those using jsoup versions before 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

jsoup jsoup

quarkus quarkus

oracle banking trade finance 14.5

oracle banking treasury management 14.5

oracle business process management suite 12.2.1.3.0

oracle business process management suite 12.2.1.4.0

oracle flexcube universal banking

oracle flexcube universal banking 14.5

oracle hospitality token proxy service 19.2

oracle peoplesoft enterprise peopletools 8.58

oracle peoplesoft enterprise peopletools 8.59

oracle primavera unifier 20.12

oracle primavera unifier 21.12

oracle retail customer management and segmentation foundation

oracle webcenter portal 12.2.1.3.0

oracle webcenter portal 12.2.1.4.0

oracle communications messaging server 8.1

netapp management services for element software and netapp hci -

oracle financial services crime and compliance management studio 8.0.8.2.0

oracle financial services crime and compliance management studio 8.0.8.3.0

oracle middleware common libraries and tools 12.2.1.3.0

oracle middleware common libraries and tools 12.2.1.4.0

oracle stream analytics

oracle stream analytics 19c

Vendor Advisories

Debian Bug report logs - #992590 jsoup: CVE-2021-37714 Package: src:jsoup; Maintainer for src:jsoup is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Fri, 20 Aug 2021 15:33:01 UTC Severity: important Tags: security, upstream Found i ...
Synopsis Moderate: Red Hat Integration Camel-K 18 security update Type/Severity Security Advisory: Moderate Topic A minor version update is now available for Red Hat Integration Camel K The purpose of this text-only errata is to inform you about the security issues fixed in this releaseRed Hat Product Security has rated this update as havi ...
Synopsis Moderate: Red Hat Process Automation Manager 7130 security update Type/Severity Security Advisory: Moderate Topic An update is now available for Red Hat Process Automation ManagerRed Hat Product Security has rated this update as having a security impact of Low A Common Vulnerability Scoring System (CVSS) base score, which gives a ...
Synopsis Moderate: Red Hat build of Quarkus 225 release and security update Type/Severity Security Advisory: Moderate Topic An update is now available for Red Hat build of QuarkusRed Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring System (CVSS) base score, which gives a det ...
Synopsis Moderate: Red Hat Integration Camel Extensions for Quarkus 27 security update Type/Severity Security Advisory: Moderate Topic Red Hat Integration Camel Extensions for Quarkus 27 is now available The purpose of this text-only errata is to inform you about the security issues fixedRed Hat Product Security has rated this update as h ...
jsoup is a Java library for working with HTML Those using jsoup versions prior to 1142 to parse untrusted HTML or XML may be vulnerable to DOS attacks If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to thro ...
Multiple vulnerabilities have been found in Hitachi Ops Center Common Services CVE-2019-10172, CVE-2020-27218, CVE-2021-4133, CVE-2021-22060, CVE-2021-22096, CVE-2021-30468, CVE-2021-37136, CVE-2021-37137, CVE-2021-37714, CVE-2021-40690, CVE-2021-42575, CVE-2022-22968 Affected products and versions are listed below Please upgrade your version ...

References

CWE-248CWE-835CWE-835https://nvd.nist.govhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992590https://www.first.org/epsshttps://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2022-115/index.htmlhttps://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6chttps://jsoup.org/news/release-1.14.1https://jsoup.org/news/release-1.14.2https://lists.apache.org/thread.html/r215009dbf7467a9f6506d0c0024cb36cad30071010e62c9352cfaaf0%40%3Cissues.maven.apache.org%3Ehttps://lists.apache.org/thread.html/r377b93d79817ce649e9e68b3456e6f499747ef1643fa987b342e082e%40%3Cissues.maven.apache.org%3Ehttps://lists.apache.org/thread.html/r3d71f18adb78e50f626dde689161ca63d3b7491bd9718fcddfaecba7%40%3Cissues.maven.apache.org%3Ehttps://lists.apache.org/thread.html/r50e9c9466c592ca9d707a5dea549524d19e3287da08d8392f643960e%40%3Cissues.maven.apache.org%3Ehttps://lists.apache.org/thread.html/r685c5235235ad0c26e86d0ee987fb802c9675de6081dbf0516464e0b%40%3Cnotifications.james.apache.org%3Ehttps://lists.apache.org/thread.html/r97404676a5cf591988faedb887d64e278f522adcaa823d89ca69defe%40%3Cnotifications.james.apache.org%3Ehttps://lists.apache.org/thread.html/rc3354080fc67fb50b45b3c2d12dc4ca2a3c1c78dad3d3ba012c038aa%40%3Cnotifications.james.apache.org%3Ehttps://security.netapp.com/advisory/ntap-20220210-0022/https://www.oracle.com/security-alerts/cpuapr2022.htmlhttps://www.oracle.com/security-alerts/cpujan2022.htmlhttps://www.oracle.com/security-alerts/cpujul2022.htmlhttps://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6chttps://jsoup.org/news/release-1.14.1https://jsoup.org/news/release-1.14.2https://lists.apache.org/thread.html/r215009dbf7467a9f6506d0c0024cb36cad30071010e62c9352cfaaf0%40%3Cissues.maven.apache.org%3Ehttps://lists.apache.org/thread.html/r377b93d79817ce649e9e68b3456e6f499747ef1643fa987b342e082e%40%3Cissues.maven.apache.org%3Ehttps://lists.apache.org/thread.html/r3d71f18adb78e50f626dde689161ca63d3b7491bd9718fcddfaecba7%40%3Cissues.maven.apache.org%3Ehttps://lists.apache.org/thread.html/r50e9c9466c592ca9d707a5dea549524d19e3287da08d8392f643960e%40%3Cissues.maven.apache.org%3Ehttps://lists.apache.org/thread.html/r685c5235235ad0c26e86d0ee987fb802c9675de6081dbf0516464e0b%40%3Cnotifications.james.apache.org%3Ehttps://lists.apache.org/thread.html/r97404676a5cf591988faedb887d64e278f522adcaa823d89ca69defe%40%3Cnotifications.james.apache.org%3Ehttps://lists.apache.org/thread.html/rc3354080fc67fb50b45b3c2d12dc4ca2a3c1c78dad3d3ba012c038aa%40%3Cnotifications.james.apache.org%3Ehttps://security.netapp.com/advisory/ntap-20220210-0022/https://www.oracle.com/security-alerts/cpuapr2022.htmlhttps://www.oracle.com/security-alerts/cpujan2022.htmlhttps://www.oracle.com/security-alerts/cpujul2022.html