CVE-2021-37714

HIGH

Jsoup < 1.14.2 - Infinite Loop

Title source: rule

Description

jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.

References (14)

[Third Party Advisory] https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c

[Release Notes, Vendor Advisory] https://jsoup.org/news/release-1.14.1

[Release Notes, Vendor Advisory] https://jsoup.org/news/release-1.14.2

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20220210-0022/

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpuapr2022.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpujan2022.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpujul2022.html

[Mailing List] https://lists.apache.org/thread.html/r215009dbf7467a9f6506d0c0024cb36cad30071010e62c9352cfaaf0%40%3Cissues.maven.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r377b93d79817ce649e9e68b3456e6f499747ef1643fa987b342e082e%40%3Cissues.maven.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r3d71f18adb78e50f626dde689161ca63d3b7491bd9718fcddfaecba7%40%3Cissues.maven.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r50e9c9466c592ca9d707a5dea549524d19e3287da08d8392f643960e%40%3Cissues.maven.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r685c5235235ad0c26e86d0ee987fb802c9675de6081dbf0516464e0b%40%3Cnotifications.james.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r97404676a5cf591988faedb887d64e278f522adcaa823d89ca69defe%40%3Cnotifications.james.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/rc3354080fc67fb50b45b3c2d12dc4ca2a3c1c78dad3d3ba012c038aa%40%3Cnotifications.james.apache.org%3E

Scores

CVSS v3 7.5

EPSS 0.0435

EPSS Percentile 88.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Classification

CWE

CWE-248 CWE-835

Status published

Affected Products (25)

jsoup/jsoup < 1.14.2

quarkus/quarkus < 2.2.3

oracle/banking_trade_finance

oracle/banking_treasury_management

oracle/business_process_management_suite

oracle/business_process_management_suite

oracle/flexcube_universal_banking < 14.3.0

oracle/flexcube_universal_banking

oracle/hospitality_token_proxy_service

oracle/peoplesoft_enterprise_peopletools

oracle/peoplesoft_enterprise_peopletools

oracle/primavera_unifier

oracle/primavera_unifier

oracle/retail_customer_management_and_segmentation_foundation < 19.0

oracle/webcenter_portal

... and 10 more

Timeline

Published Aug 18, 2021

Tracked Since Feb 18, 2026