[Bugs] [Bug 13256] New: [CVE 21] jsoup 1.11.3 CVEs found

bugzilla bugzilla на rosalinux.ru
Ср Май 3 12:53:35 MSK 2023 

https://bugzilla.rosalinux.ru/show_bug.cgi?id=13256

          Platform: 2021.1
            Bug ID: 13256
           Summary: [CVE 21] jsoup 1.11.3 CVEs found
    Classification: ROSA-based products
           Product: ROSA Fresh
           Version: All
          Hardware: All
               URL: CVE-2021-37714, CVE-2022-36033,
                OS: Linux
            Status: CONFIRMED
          Severity: normal
          Priority: Normal
         Component: System (kernel, glibc, systemd, bash, PAM...)
          Assignee: bugs на lists.rosalinux.ru
          Reporter: y.tumanov на rosalinux.ru
        QA Contact: bugs на lists.rosalinux.ru
                CC: s.matveev на rosalinux.ru, y.tumanov на rosalinux.ru
  Target Milestone: ---
             Flags: secteam_verified?

Please patch CVEs for package jsoup version 1.11.3  
INFO (CVEs are): jsoup 1.11.3 cves found
CVE-2021-37714
Desc: jsoup is a Java library for working with HTML. Those using jsoup versions
prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS
attacks. If the parser is run on user supplied input, an attacker may supply
content that causes the parser to get stuck (loop indefinitely until
cancelled), to complete more slowly than usual, or to throw an unexpected
exception. This effect may support a denial of service attack. The issue is
patched in version 1.14.2. There are a few available workarounds. Users may
rate limit input parsing, limit the size of inputs based on system resources,
and/or implement thread watchdogs to cap and timeout parse runtimes.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-37714
Severity: HIGH
CVE-2022-36033
Desc: jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping,
and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML
including `javascript:` URL expressions, which could allow XSS attacks when a
reader subsequently clicks that link. If the non-default
`SafeList.preserveRelativeLinks` option is enabled, HTML including
`javascript:` URLs that have been crafted with control characters will not be
sanitized. If the site that this HTML is published on does not set a Content
Security Policy, an XSS attack is then possible. This issue is patched in jsoup
1.15.3. Users should upgrade to this version. Additionally, as the unsanitized
input may have been persisted, old content should be cleaned again using the
updated version. To remediate this issue without immediately upgrading: -
disable `SafeList.preserveRelativeLinks`, which will rewrite input URLs as
absolute URLs - ensure an appropriate [Content Security
Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) is defined.
(This should be used regardless of upgrading, as a defence-in-depth best
practice.)
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-36033
Severity: MEDIUM

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
----------- следущая часть -----------
Вложение в формате HTML было извлечено…
URL: <http://lists.rosalinux.ru/pipermail/bugs/attachments/20230503/12c2fc5c/attachment.html>

Подробная информация о списке рассылки Bugs