CVE-2021-37714

Aliases:GHSA-m72m-mhq2-9p6c
Advisory lineage Upstream: 0 Downstream: 11
Modified
Published: 18 Aug 2021, 15:10
Last modified:04 Aug 2024, 01:23

Vulnerability Summary

Overall Risk (default)
medium
31/100
CVSS Score
7.5 HIGH
v3.1 (cve.org)
EPSS Score
4.35% LOW
4% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

18 Aug 2021, 15:10
Published
Vulnerability first disclosed
04 Aug 2024, 01:23
Last Modified
Vulnerability information updated

Description

jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.

CVSS Metrics

  • v3.1HIGHScore: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • v2.0MEDIUMScore: 5AV:N/AC:L/Au:N/C:N/I:N/A:P

EPSS Trends

Current EPSS score: 4.35% Percentile: 89%

Techniques & Countermeasures

  • CWE-835Loop with Unreachable Exit Condition ('Infinite Loop')

    The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

  • CWE-248Uncaught Exception

    An exception is thrown from a function, but it is not caught.

Affected Systems

  • jhyjsoup

    < 1.14.2

  • jsoupjsoup

    < 1.14.2

  • org.jsoupjsoup

    < 1.14.2

  • netappmanagement_services_for_element_software_and_netapp_hci

    na

  • oraclebanking_trade_finance

    14.5

  • oraclebanking_treasury_management

    14.5

  • oraclebusiness_process_management_suite

    12.2.1.3.0 | 12.2.1.4.0

  • oraclecommunications_messaging_server

    8.1

  • oraclefinancial_services_crime_and_compliance_management_studio

    8.0.8.2.0 | 8.0.8.3.0

  • oracleflexcube_universal_banking

    ≥ 14.0.0, ≤ 14.3.0 | 14.5

  • oraclehospitality_token_proxy_service

    19.2

  • oraclemiddleware_common_libraries_and_tools

    12.2.1.3.0 | 12.2.1.4.0

  • oraclepeoplesoft_enterprise_peopletools

    8.58 | 8.59

  • oracleprimavera_unifier

    20.12 | 21.12

  • oracleretail_customer_management_and_segmentation_foundation

    ≥ 17.0, ≤ 19.0

  • oraclestream_analytics

    < 19.1.0.0.6.4 | 19c

  • oraclewebcenter_portal

    12.2.1.3.0 | 12.2.1.4.0

  • quarkusquarkus

    ≤ 2.2.3

References (24)