CVE-2022-36033
Cross-site Scripting (XSS) vulnerability in jsoup (Maven)
What is CVE-2022-36033 About?
This vulnerability is a Cross-site Scripting (XSS) flaw in jsoup, where improper HTML sanitization, particularly with the `SafeList.preserveRelativeLinks` option, allows `javascript:` URLs to bypass filtering. This can lead to XSS attacks if the site lacks a Content Security Policy, making it a critical risk under specific configurations.
Affected Software
Technical Details
jsoup versions prior to 1.15.3, when SafeList.preserveRelativeLinks is enabled, can fail to properly sanitize HTML containing javascript: URL expressions that are crafted with control characters (e.g., java\tscript:...). The Java URL class used by jsoup's cleaner treats these as relative URLs because control characters disrupt its URL specification matching. However, browsers may normalize these control characters, causing the javascript: URL to be evaluated, leading to a Cross-site Scripting (XSS) attack. This disparity between jsoup's sanitization and browser interpretation creates the vulnerability, allowing malicious scripts to execute if no strong Content Security Policy (CSP) is present.
What is the Impact of CVE-2022-36033?
Successful exploitation may allow attackers to execute arbitrary scripts in the victim's browser, leading to session hijacking, data theft, or defacement of the website.
What is the Exploitability of CVE-2022-36033?
Exploitation complexity is moderate, requiring an attacker to be able to submit crafted HTML content to an application that uses jsoup for sanitization. The primary prerequisites are that the vulnerable jsoup version (before 1.15.3) is in use, the SafeList.preserveRelativeLinks option is enabled, and the target website does not enforce an adequate Content Security Policy (CSP). No specific authentication beyond the ability to submit content is required, and privilege requirements are low. This is typically a remote vulnerability, as the attacker injects malicious HTML. The most significant constraint is the necessity of SafeList.preserveRelativeLinks being enabled and the absence of a strong CSP. Risk factors increase significantly on sites that actively accept user-provided HTML content, forums, or comment sections, and if the administrators are unaware of the preserveRelativeLinks option's implications.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-36033?
Available Upgrade Options
- org.jsoup:jsoup
- <1.15.3 → Upgrade to 1.15.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-gp7f-rwcx-9369
- https://github.com/jhy/jsoup
- https://nvd.nist.gov/vuln/detail/CVE-2022-36033
- https://github.com/jhy/jsoup/releases/tag/jsoup-1.15.3
- https://jsoup.org/news/release-1.15.3
- https://github.com/jhy/jsoup/security/advisories/GHSA-gp7f-rwcx-9369
- https://security.netapp.com/advisory/ntap-20221104-0006
- https://security.netapp.com/advisory/ntap-20221104-0006/
- https://github.com/jhy/jsoup/releases/tag/jsoup-1.15.3
- https://github.com/jhy/jsoup/security/advisories/GHSA-gp7f-rwcx-9369
What are Similar Vulnerabilities to CVE-2022-36033?
Similar Vulnerabilities: CVE-2021-31589 , CVE-2020-28188 , CVE-2020-1748 , CVE-2021-23397 , CVE-2021-41973
