CVE-2021-37714
Denial of Service vulnerability in jsoup (Maven)
What is CVE-2021-37714 About?
This vulnerability affects jsoup, where parsing untrusted HTML or XML can lead to Denial of Service (DoS) attacks. An attacker can supply crafted input that causes the parser to loop indefinitely, slow down significantly, or throw exceptions, making the service unavailable. Exploitation is relatively easy if an attacker can control the input to the parser.
Affected Software
Technical Details
The jsoup library, when parsing specially crafted, untrusted HTML or XML input, can be driven into a denial of service state. This occurs due to specific patterns in the input that can cause the parser to enter an infinite loop when attempting to resolve it, leading to continuous CPU consumption. Alternatively, certain complex or malformed structures may cause the parser to process data at an exponentially slower rate than expected, effectively slowing down the application to a crawl. In some cases, the malformed input might trigger unexpected exceptions that are not gracefully handled, causing the application to crash or become unresponsive. The root cause lies in the parser's logic for handling certain edge cases or complex nested structures without adequate bounds or timeout mechanisms.
What is the Impact of CVE-2021-37714?
Successful exploitation may allow attackers to cause a denial of service, leading to resource exhaustion, unresponsiveness, and unavailability of the affected application or service.
What is the Exploitability of CVE-2021-37714?
Exploitation complexity is low, as it primarily requires an attacker to be able to supply arbitrary, untrusted HTML or XML input to an application using the jsoup parser. There are no specific authentication or privilege requirements; an unauthenticated user capable of submitting content to be parsed would suffice. This is typically a remote vulnerability if the application processes external user-provided content via a web interface or API. Special conditions include the application relying on jsoup for parsing and not having implemented rate limiting, input size limitations, or thread watchdogs. The absence of these mitigating controls significantly increases the likelihood of a successful DoS attack.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-37714?
Available Upgrade Options
- org.jsoup:jsoup
- <1.14.2 → Upgrade to 1.14.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/r685c5235235ad0c26e86d0ee987fb802c9675de6081dbf0516464e0b@%3Cnotifications.james.apache.org%3E
- https://lists.apache.org/thread.html/r377b93d79817ce649e9e68b3456e6f499747ef1643fa987b342e082e@%3Cissues.maven.apache.org%3E
- https://lists.apache.org/thread.html/r50e9c9466c592ca9d707a5dea549524d19e3287da08d8392f643960e%40%3Cissues.maven.apache.org%3E
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://lists.apache.org/thread.html/r215009dbf7467a9f6506d0c0024cb36cad30071010e62c9352cfaaf0@%3Cissues.maven.apache.org%3E
- https://jsoup.org/news/release-1.14.2
- https://nvd.nist.gov/vuln/detail/CVE-2021-37714
- https://lists.apache.org/thread.html/r97404676a5cf591988faedb887d64e278f522adcaa823d89ca69defe%40%3Cnotifications.james.apache.org%3E
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://lists.apache.org/thread.html/r3d71f18adb78e50f626dde689161ca63d3b7491bd9718fcddfaecba7@%3Cissues.maven.apache.org%3E
What are Similar Vulnerabilities to CVE-2021-37714?
Similar Vulnerabilities: CVE-2021-43307 , CVE-2022-21222 , CVE-2018-1000873 , CVE-2018-1000180 , CVE-2020-15389
