CVE-2021-37714
HIGHjsoup < 1.14.2 - Denial of Service via Malicious HTML/XML Input
Title source: llmDescription
jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.
References (14)
Core 14
Core References
Third Party Advisory x_refsource_confirm
https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c
Release Notes, Vendor Advisory x_refsource_misc
https://jsoup.org/news/release-1.14.1
Release Notes, Vendor Advisory x_refsource_misc
https://jsoup.org/news/release-1.14.2
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r215009dbf7467a9f6506d0c0024cb36cad30071010e62c9352cfaaf0%40%3Cissues.maven.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r377b93d79817ce649e9e68b3456e6f499747ef1643fa987b342e082e%40%3Cissues.maven.apache.org%3E
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2022.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2022.html
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20220210-0022/
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujul2022.html
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r685c5235235ad0c26e86d0ee987fb802c9675de6081dbf0516464e0b%40%3Cnotifications.james.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rc3354080fc67fb50b45b3c2d12dc4ca2a3c1c78dad3d3ba012c038aa%40%3Cnotifications.james.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r97404676a5cf591988faedb887d64e278f522adcaa823d89ca69defe%40%3Cnotifications.james.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r50e9c9466c592ca9d707a5dea549524d19e3287da08d8392f643960e%40%3Cissues.maven.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r3d71f18adb78e50f626dde689161ca63d3b7491bd9718fcddfaecba7%40%3Cissues.maven.apache.org%3E
Scores
CVSS v3
7.5
EPSS
0.0687
EPSS Percentile
93.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-248
CWE-835
Status
published
Products (25)
jsoup/jsoup
< 1.14.2
netapp/management_services_for_element_software_and_netapp_hci
oracle/banking_trade_finance
14.5
oracle/banking_treasury_management
14.5
oracle/business_process_management_suite
12.2.1.3.0
oracle/business_process_management_suite
12.2.1.4.0
oracle/communications_messaging_server
8.1
oracle/financial_services_crime_and_compliance_management_studio
8.0.8.2.0
oracle/financial_services_crime_and_compliance_management_studio
8.0.8.3.0
oracle/flexcube_universal_banking
14.5
... and 15 more
Published
Aug 18, 2021
Tracked Since
Feb 18, 2026