CVE-2021-37714

HIGH

Jsoup < 1.14.2 - Infinite Loop

Title source: rule

Description

jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.

References (14)

[Third Party Advisory] https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c

[Release Notes, Vendor Advisory] https://jsoup.org/news/release-1.14.1

[Release Notes, Vendor Advisory] https://jsoup.org/news/release-1.14.2

[Mailing List] https://lists.apache.org/thread.html/r215009dbf7467a9f6506d0c0024cb36cad30071010e62c9352cfaaf0%40%3Cissues.maven.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r377b93d79817ce649e9e68b3456e6f499747ef1643fa987b342e082e%40%3Cissues.maven.apache.org%3E

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpujan2022.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpuapr2022.html

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20220210-0022/

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpujul2022.html

[Mailing List] https://lists.apache.org/thread.html/r685c5235235ad0c26e86d0ee987fb802c9675de6081dbf0516464e0b%40%3Cnotifications.james.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/rc3354080fc67fb50b45b3c2d12dc4ca2a3c1c78dad3d3ba012c038aa%40%3Cnotifications.james.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r97404676a5cf591988faedb887d64e278f522adcaa823d89ca69defe%40%3Cnotifications.james.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r50e9c9466c592ca9d707a5dea549524d19e3287da08d8392f643960e%40%3Cissues.maven.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r3d71f18adb78e50f626dde689161ca63d3b7491bd9718fcddfaecba7%40%3Cissues.maven.apache.org%3E

Scores

CVSS v3 7.5

EPSS 0.0435

EPSS Percentile 89.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-248 CWE-835

Status published

Products (25)

jsoup/jsoup < 1.14.2

netapp/management_services_for_element_software_and_netapp_hci

oracle/banking_trade_finance 14.5

oracle/banking_treasury_management 14.5

oracle/business_process_management_suite 12.2.1.3.0

oracle/business_process_management_suite 12.2.1.4.0

oracle/communications_messaging_server 8.1

oracle/financial_services_crime_and_compliance_management_studio 8.0.8.2.0

oracle/financial_services_crime_and_compliance_management_studio 8.0.8.3.0

oracle/flexcube_universal_banking 14.5

... and 15 more

Published Aug 18, 2021

Tracked Since Feb 18, 2026