CVE-2021-37714

jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.
References
Link Resource
https://jsoup.org/news/release-1.14.1 Release Notes Vendor Advisory
https://jsoup.org/news/release-1.14.2 Release Notes Vendor Advisory
https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c Third Party Advisory
https://lists.apache.org/thread.html/r685c5235235ad0c26e86d0ee987fb802c9675de6081dbf0516464e0b@%3Cnotifications.james.apache.org%3E Mailing List Third Party Advisory
https://lists.apache.org/thread.html/rc3354080fc67fb50b45b3c2d12dc4ca2a3c1c78dad3d3ba012c038aa@%3Cnotifications.james.apache.org%3E Mailing List Third Party Advisory
https://lists.apache.org/thread.html/r97404676a5cf591988faedb887d64e278f522adcaa823d89ca69defe@%3Cnotifications.james.apache.org%3E Mailing List Third Party Advisory
https://lists.apache.org/thread.html/r50e9c9466c592ca9d707a5dea549524d19e3287da08d8392f643960e@%3Cissues.maven.apache.org%3E Mailing List Third Party Advisory
https://lists.apache.org/thread.html/r215009dbf7467a9f6506d0c0024cb36cad30071010e62c9352cfaaf0@%3Cissues.maven.apache.org%3E Mailing List Third Party Advisory
https://lists.apache.org/thread.html/r377b93d79817ce649e9e68b3456e6f499747ef1643fa987b342e082e@%3Cissues.maven.apache.org%3E Mailing List Third Party Advisory
https://lists.apache.org/thread.html/r3d71f18adb78e50f626dde689161ca63d3b7491bd9718fcddfaecba7@%3Cissues.maven.apache.org%3E Mailing List Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html Patch Third Party Advisory
https://security.netapp.com/advisory/ntap-20220210-0022/ Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html Patch Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:jsoup:jsoup:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:flexcube_universal_banking:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*
cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:o:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_unifier:21.12:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_trade_finance:14.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_treasury_management:14.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:flexcube_universal_banking:14.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:hospitality_token_proxy_service:19.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:*:*:*:*:*:*:*:*

Configuration 4 (hide)

cpe:2.3:a:netapp:management_services_for_element_software_and_netapp_hci:-:*:*:*:*:*:*:*

History

10 May 2022, 18:03

Type Values Removed Values Added
References (MISC) https://www.oracle.com/security-alerts/cpuapr2022.html - (MISC) https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory
First Time Oracle peoplesoft Enterprise Peopletools
Oracle hospitality Token Proxy Service
Oracle webcenter Portal
Oracle flexcube Universal Banking
Oracle retail Customer Management And Segmentation Foundation
Oracle business Process Management Suite
Oracle banking Trade Finance
Oracle banking Treasury Management
CPE cpe:2.3:a:oracle:flexcube_universal_banking:14.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_treasury_management:14.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_trade_finance:14.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:flexcube_universal_banking:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*
cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:hospitality_token_proxy_service:19.2:*:*:*:*:*:*:*

20 Apr 2022, 00:16

Type Values Removed Values Added
References
  • (MISC) https://www.oracle.com/security-alerts/cpuapr2022.html -

04 Mar 2022, 21:36

Type Values Removed Values Added
References (CONFIRM) https://security.netapp.com/advisory/ntap-20220210-0022/ - (CONFIRM) https://security.netapp.com/advisory/ntap-20220210-0022/ - Third Party Advisory
References (MISC) https://www.oracle.com/security-alerts/cpujan2022.html - (MISC) https://www.oracle.com/security-alerts/cpujan2022.html - Patch, Third Party Advisory
First Time Oracle
Netapp
Netapp management Services For Element Software And Netapp Hci
Oracle primavera Unifier
Oracle communications Messaging Server
CPE cpe:2.3:a:netapp:management_services_for_element_software_and_netapp_hci:-:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_unifier:21.12:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*
cpe:2.3:o:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*

10 Feb 2022, 10:15

Type Values Removed Values Added
References
  • (CONFIRM) https://security.netapp.com/advisory/ntap-20220210-0022/ -

07 Feb 2022, 16:16

Type Values Removed Values Added
References
  • (MISC) https://www.oracle.com/security-alerts/cpujan2022.html -
CWE CWE-248

20 Oct 2021, 14:31

Type Values Removed Values Added
CPE cpe:2.3:a:apache:maven:3.8.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:wagon-http:3.4.3:*:*:*:*:*:*:*
cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*

18 Oct 2021, 12:29

Type Values Removed Values Added
CWE CWE-248
CPE cpe:2.3:a:apache:maven:3.8.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:wagon-http:3.4.3:*:*:*:*:*:*:*
References (MLIST) https://lists.apache.org/thread.html/r50e9c9466c592ca9d707a5dea549524d19e3287da08d8392f643960e@%3Cissues.maven.apache.org%3E - (MLIST) https://lists.apache.org/thread.html/r50e9c9466c592ca9d707a5dea549524d19e3287da08d8392f643960e@%3Cissues.maven.apache.org%3E - Mailing List, Third Party Advisory
References (MLIST) https://lists.apache.org/thread.html/r377b93d79817ce649e9e68b3456e6f499747ef1643fa987b342e082e@%3Cissues.maven.apache.org%3E - (MLIST) https://lists.apache.org/thread.html/r377b93d79817ce649e9e68b3456e6f499747ef1643fa987b342e082e@%3Cissues.maven.apache.org%3E - Mailing List, Third Party Advisory
References (MLIST) https://lists.apache.org/thread.html/r3d71f18adb78e50f626dde689161ca63d3b7491bd9718fcddfaecba7@%3Cissues.maven.apache.org%3E - (MLIST) https://lists.apache.org/thread.html/r3d71f18adb78e50f626dde689161ca63d3b7491bd9718fcddfaecba7@%3Cissues.maven.apache.org%3E - Mailing List, Third Party Advisory
References (MLIST) https://lists.apache.org/thread.html/r215009dbf7467a9f6506d0c0024cb36cad30071010e62c9352cfaaf0@%3Cissues.maven.apache.org%3E - (MLIST) https://lists.apache.org/thread.html/r215009dbf7467a9f6506d0c0024cb36cad30071010e62c9352cfaaf0@%3Cissues.maven.apache.org%3E - Mailing List, Third Party Advisory

01 Sep 2021, 15:15

Type Values Removed Values Added
References
  • (MLIST) https://lists.apache.org/thread.html/r377b93d79817ce649e9e68b3456e6f499747ef1643fa987b342e082e@%3Cissues.maven.apache.org%3E -
  • (MLIST) https://lists.apache.org/thread.html/r3d71f18adb78e50f626dde689161ca63d3b7491bd9718fcddfaecba7@%3Cissues.maven.apache.org%3E -
  • (MLIST) https://lists.apache.org/thread.html/r215009dbf7467a9f6506d0c0024cb36cad30071010e62c9352cfaaf0@%3Cissues.maven.apache.org%3E -

30 Aug 2021, 13:15

Type Values Removed Values Added
References
  • (MLIST) https://lists.apache.org/thread.html/r50e9c9466c592ca9d707a5dea549524d19e3287da08d8392f643960e@%3Cissues.maven.apache.org%3E -

26 Aug 2021, 01:00

Type Values Removed Values Added
References (MISC) https://jsoup.org/news/release-1.14.2 - (MISC) https://jsoup.org/news/release-1.14.2 - Release Notes, Vendor Advisory
References (MLIST) https://lists.apache.org/thread.html/rc3354080fc67fb50b45b3c2d12dc4ca2a3c1c78dad3d3ba012c038aa@%3Cnotifications.james.apache.org%3E - (MLIST) https://lists.apache.org/thread.html/rc3354080fc67fb50b45b3c2d12dc4ca2a3c1c78dad3d3ba012c038aa@%3Cnotifications.james.apache.org%3E - Mailing List, Third Party Advisory
References (MLIST) https://lists.apache.org/thread.html/r685c5235235ad0c26e86d0ee987fb802c9675de6081dbf0516464e0b@%3Cnotifications.james.apache.org%3E - (MLIST) https://lists.apache.org/thread.html/r685c5235235ad0c26e86d0ee987fb802c9675de6081dbf0516464e0b@%3Cnotifications.james.apache.org%3E - Mailing List, Third Party Advisory
References (MLIST) https://lists.apache.org/thread.html/r97404676a5cf591988faedb887d64e278f522adcaa823d89ca69defe@%3Cnotifications.james.apache.org%3E - (MLIST) https://lists.apache.org/thread.html/r97404676a5cf591988faedb887d64e278f522adcaa823d89ca69defe@%3Cnotifications.james.apache.org%3E - Mailing List, Third Party Advisory
References (CONFIRM) https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c - (CONFIRM) https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c - Third Party Advisory
References (MISC) https://jsoup.org/news/release-1.14.1 - (MISC) https://jsoup.org/news/release-1.14.1 - Release Notes, Vendor Advisory
CPE cpe:2.3:a:jsoup:jsoup:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : 7.5
v2 : 5.0
v3 : 7.5

24 Aug 2021, 04:15

Type Values Removed Values Added
References
  • (MLIST) https://lists.apache.org/thread.html/rc3354080fc67fb50b45b3c2d12dc4ca2a3c1c78dad3d3ba012c038aa@%3Cnotifications.james.apache.org%3E -
  • (MLIST) https://lists.apache.org/thread.html/r97404676a5cf591988faedb887d64e278f522adcaa823d89ca69defe@%3Cnotifications.james.apache.org%3E -

20 Aug 2021, 15:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.5
CWE CWE-248
CWE-835
References
  • (MLIST) https://lists.apache.org/thread.html/r685c5235235ad0c26e86d0ee987fb802c9675de6081dbf0516464e0b@%3Cnotifications.james.apache.org%3E -

18 Aug 2021, 15:26

Type Values Removed Values Added
New CVE

Information

Published : 2021-08-18 15:15

Updated : 2022-05-10 18:03


NVD link : CVE-2021-37714

Mitre link : CVE-2021-37714


JSON object : View

Products Affected

oracle

  • webcenter_portal
  • banking_trade_finance
  • primavera_unifier
  • banking_treasury_management
  • retail_customer_management_and_segmentation_foundation
  • hospitality_token_proxy_service
  • flexcube_universal_banking
  • business_process_management_suite
  • peoplesoft_enterprise_peopletools
  • communications_messaging_server

netapp

  • management_services_for_element_software_and_netapp_hci

jsoup

  • jsoup

quarkus

  • quarkus
CWE
CWE-248

Uncaught Exception

CWE-835

Loop with Unreachable Exit Condition ('Infinite Loop')