CVE-2021-37714

Summary

CVE	CVE-2021-37714
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2021-08-18 15:15:00 UTC
Updated	2023-11-07 03:37:00 UTC
Description	jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.

Risk And Classification

Problem Types: CWE-248 | CWE-835

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Apache	Maven	3.8.2	All	All	All
Application	Apache	Wagon-http	3.4.3	All	All	All
Application	Jsoup	Jsoup	All	All	All	All
Application	Netapp	Management Services For Element Software And Netapp Hci	-	All	All	All
Application	Oracle	Banking Trade Finance	14.5	All	All	All
Application	Oracle	Banking Treasury Management	14.5	All	All	All
Application	Oracle	Business Process Management Suite	12.2.1.3.0	All	All	All
Application	Oracle	Business Process Management Suite	12.2.1.4.0	All	All	All
Operating System	Oracle	Communications Messaging Server	8.1	All	All	All
Application	Oracle	Financial Services Crime And Compliance Management Studio	8.0.8.2.0	All	All	All
Application	Oracle	Financial Services Crime And Compliance Management Studio	8.0.8.3.0	All	All	All
Application	Oracle	Flexcube Universal Banking	14.5	All	All	All
Application	Oracle	Flexcube Universal Banking	All	All	All	All
Application	Oracle	Hospitality Token Proxy Service	19.2	All	All	All
Application	Oracle	Middleware Common Libraries And Tools	12.2.1.3.0	All	All	All
Application	Oracle	Middleware Common Libraries And Tools	12.2.1.4.0	All	All	All
Application	Oracle	Peoplesoft Enterprise Peopletools	8.58	All	All	All
Application	Oracle	Peoplesoft Enterprise Peopletools	8.59	All	All	All
Application	Oracle	Primavera Unifier	20.12	All	All	All
Application	Oracle	Primavera Unifier	21.12	All	All	All
Application	Oracle	Retail Customer Management And Segmentation Foundation	All	All	All	All
Application	Oracle	Stream Analytics	All	All	All	All
Application	Oracle	Stream Analytics	19c	All	All	All
Application	Oracle	Webcenter Portal	12.2.1.3.0	All	All	All
Application	Oracle	Webcenter Portal	12.2.1.4.0	All	All	All
Application	Quarkus	Quarkus	All	All	All	All

References

Reference	Source	Link	Tags
[james-notifications] 20210820 [GitHub] [james-project] chibenwa opened a new pull request #609: [UPGRADE] JSOUP 1.14.1 -> 1.14.2 to address CVE-2021-37714		lists.apache.org
[maven-issues] 20210901 [jira] [Commented] (MNG-7227) Fix CVE-2021-37714 present in apache-maven		lists.apache.org
CVE-2021-37714 jsoup Vulnerability in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
Pony Mail!	MLIST	lists.apache.org
Oracle Critical Patch Update Advisory - April 2022	MISC	www.oracle.com
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
[maven-issues] 20210901 [jira] [Created] (MNG-7227) Fix CVE-2021-37714 present in apache-maven		lists.apache.org
[james-notifications] 20210823 [GitHub] [james-project] chibenwa merged pull request #609: [UPGRADE] JSOUP 1.14.1 -> 1.14.2 to address CVE-2021-37714		lists.apache.org
Oracle Critical Patch Update Advisory - January 2022	MISC	www.oracle.com
Pony Mail!	MLIST	lists.apache.org
[maven-issues] 20210830 [jira] [Created] (WAGON-612) Update jsoup to >= 1.14.2 for fix security issue		lists.apache.org
jsoup release 1.14.1 (2021-Jul-10)	MISC	jsoup.org
[maven-issues] 20210901 [jira] [Updated] (MNG-7227) Fix CVE-2021-37714 present in apache-maven		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Crafted input may cause the jsoup HTML and XML parser to get stuck, timeout, or throw unchecked exceptions · Advisory · jhy/jsoup · GitHub	CONFIRM	github.com
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
[james-notifications] 20210823 [james-project] branch master updated: [UPGRADE] JSOUP 1.14.1 -> 1.14.2 to address CVE-2021-37714		lists.apache.org
jsoup release 1.14.2 (2021-Aug-15)	MISC	jsoup.org
Oracle Critical Patch Update Advisory - July 2022	N/A	www.oracle.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

184645 Debian Security Update for jsoup (CVE-2021-37714)
239885 Red Hat Update for JBoss Enterprise Application Platform 7.4.2 on RHEL 8 (RHSA-2021:4677)
239888 Red Hat Update for JBoss Enterprise Application Platform 7.4.2 on RHEL 7 (RHSA-2021:4676)
239965 Red Hat Update for JBoss Enterprise Application Platform 7.3.10 on RHEL 7 (RHSA-2021:5150)
239966 Red Hat Update for JBoss Enterprise Application Platform 7.3.10 on RHEL 8 (RHSA-2021:5151)
239967 Red Hat Update for JBoss Enterprise Application Platform 7.3.10 on RHEL 6 (RHSA-2021:5149)
376547 Oracle PeopleSoft Enterprise PeopleTools Product Multiple Vulnerabilities (CPUAPR2022)
752051 SUSE Enterprise Linux Security Update for jsoup, jsr-305 (SUSE-SU-2022:1265-1)
901401 Common Base Linux Mariner (CBL-Mariner) Security Update for jsoup (7253)
980408 Java (maven) Security Update for org.jsoup:jsoup (GHSA-m72m-mhq2-9p6c)