CVE-2021-37714 : jsoup is a Java library for working with HTML. Those using jsoup versions prior

jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.

Published 2021-08-18 15:15:08

Updated 2022-12-07 20:14:58

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Denial of service

Products affected by CVE-2021-37714

Oracle » Peoplesoft Enterprise Peopletools » Version: 8.58
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
Matching versions
Oracle » Peoplesoft Enterprise Peopletools » Version: 8.59
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Messaging Server » Version: 8.1
cpe:2.3:o:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*
Matching versions
Oracle » Flexcube Universal Banking
Versions from including (>=) 14.0.0 and up to, including, (<=) 14.3.0
cpe:2.3:a:oracle:flexcube_universal_banking:*:*:*:*:*:*:*:*
Matching versions
Oracle » Flexcube Universal Banking » Version: 14.5
cpe:2.3:a:oracle:flexcube_universal_banking:14.5:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera Unifier » Version: 20.12
cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera Unifier » Version: 21.12
cpe:2.3:a:oracle:primavera_unifier:21.12:*:*:*:*:*:*:*
Matching versions
Oracle » Webcenter Portal » Version: 12.2.1.3.0
cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*
Matching versions
Oracle » Webcenter Portal » Version: 12.2.1.4.0
cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*
Matching versions
Oracle » Business Process Management Suite » Version: 12.2.1.3.0
cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*
Matching versions
Oracle » Business Process Management Suite » Version: 12.2.1.4.0
cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Customer Management And Segmentation Foundation
Versions from including (>=) 17.0 and up to, including, (<=) 19.0
cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:*:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Treasury Management » Version: 14.5
cpe:2.3:a:oracle:banking_treasury_management:14.5:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Trade Finance » Version: 14.5
cpe:2.3:a:oracle:banking_trade_finance:14.5:*:*:*:*:*:*:*
Matching versions
Oracle » Middleware Common Libraries And Tools » Version: 12.2.1.4.0
cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.4.0:*:*:*:*:*:*:*
Matching versions
Oracle » Middleware Common Libraries And Tools » Version: 12.2.1.3.0
cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.3.0:*:*:*:*:*:*:*
Matching versions
Oracle » Hospitality Token Proxy Service » Version: 19.2
cpe:2.3:a:oracle:hospitality_token_proxy_service:19.2:*:*:*:*:*:*:*
Matching versions
Oracle » Financial Services Crime And Compliance Management Studio » Version: 8.0.8.2.0
cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:*
Matching versions
Oracle » Financial Services Crime And Compliance Management Studio » Version: 8.0.8.3.0
cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:*
Matching versions
Oracle » Stream Analytics
Versions before (<) 19.1.0.0.6.4
cpe:2.3:a:oracle:stream_analytics:*:*:*:*:*:*:*:*
Matching versions
Oracle » Stream Analytics » Version: 19C
cpe:2.3:a:oracle:stream_analytics:19c:*:*:*:*:*:*:*
Matching versions
Netapp » Management Services For Element Software And Netapp Hci » Version: N/A
cpe:2.3:a:netapp:management_services_for_element_software_and_netapp_hci:-:*:*:*:*:*:*:*
Matching versions
Jsoup » Jsoup
Versions before (<) 1.14.2
cpe:2.3:a:jsoup:jsoup:*:*:*:*:*:*:*:*
Matching versions
Quarkus » Quarkus
Versions up to, including, (<=) 2.2.3
cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2021-37714

EPSS FAQ

0.41%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 59 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-37714

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:N/A:P	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High
7.5	HIGH	AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	N/A	N/A	Oracle:CPUOct2023
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2021-37714

CWE-248 Uncaught Exception

An exception is thrown from a function, but it is not caught.

Assigned by: security-advisories@github.com (Primary)
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
Assigned by:
- nvd@nist.gov (Secondary)
- security-advisories@github.com (Primary)

References for CVE-2021-37714

https://lists.apache.org/thread.html/r685c5235235ad0c26e86d0ee987fb802c9675de6081dbf0516464e0b@%3Cnotifications.james.apache.org%3E

[GitHub] [james-project] chibenwa opened a new pull request #609: [UPGRADE] JSOUP 1.14.1 -> 1.14.2 to address CVE-2021-37714 - Pony Mail
Mailing List;Third Party Advisory
https://lists.apache.org/thread.html/r50e9c9466c592ca9d707a5dea549524d19e3287da08d8392f643960e@%3Cissues.maven.apache.org%3E

[jira] [Created] (WAGON-612) Update jsoup to >= 1.14.2 for fix security issue - Pony Mail
Mailing List;Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html

Oracle Critical Patch Update Advisory - April 2022
Patch;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/rc3354080fc67fb50b45b3c2d12dc4ca2a3c1c78dad3d3ba012c038aa@%3Cnotifications.james.apache.org%3E

[GitHub] [james-project] chibenwa merged pull request #609: [UPGRADE] JSOUP 1.14.1 -> 1.14.2 to address CVE-2021-37714 - Pony Mail
Mailing List;Third Party Advisory
https://lists.apache.org/thread.html/r215009dbf7467a9f6506d0c0024cb36cad30071010e62c9352cfaaf0@%3Cissues.maven.apache.org%3E

[jira] [Created] (MNG-7227) Fix CVE-2021-37714 present in apache-maven - Pony Mail
Mailing List;Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html

Oracle Critical Patch Update Advisory - January 2022
Patch;Third Party Advisory

CVEs referencing this url
https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c

Crafted input may cause the jsoup HTML and XML parser to get stuck, timeout, or throw unchecked exceptions · Advisory · jhy/jsoup · GitHub
Third Party Advisory
https://jsoup.org/news/release-1.14.1

jsoup release 1.14.1 (2021-Jul-10)
Release Notes;Vendor Advisory
https://lists.apache.org/thread.html/r377b93d79817ce649e9e68b3456e6f499747ef1643fa987b342e082e@%3Cissues.maven.apache.org%3E

[jira] [Commented] (MNG-7227) Fix CVE-2021-37714 present in apache-maven - Pony Mail
Mailing List;Third Party Advisory
https://jsoup.org/news/release-1.14.2

jsoup release 1.14.2 (2021-Aug-15)
Release Notes;Vendor Advisory
https://security.netapp.com/advisory/ntap-20220210-0022/

CVE-2021-37714 jsoup Vulnerability in NetApp Products | NetApp Product Security
Third Party Advisory
https://lists.apache.org/thread.html/r97404676a5cf591988faedb887d64e278f522adcaa823d89ca69defe@%3Cnotifications.james.apache.org%3E

[james-project] branch master updated: [UPGRADE] JSOUP 1.14.1 -> 1.14.2 to address CVE-2021-37714 - Pony Mail
Mailing List;Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html

Oracle Critical Patch Update Advisory - July 2022
Patch;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/r3d71f18adb78e50f626dde689161ca63d3b7491bd9718fcddfaecba7@%3Cissues.maven.apache.org%3E

[jira] [Updated] (MNG-7227) Fix CVE-2021-37714 present in apache-maven - Pony Mail
Mailing List;Third Party Advisory

Jump to

Vulnerability Details : CVE-2021-37714

Products affected by CVE-2021-37714

Exploit prediction scoring system (EPSS) score for CVE-2021-37714

CVSS scores for CVE-2021-37714

CWE ids for CVE-2021-37714

References for CVE-2021-37714