CVE-2022-36033

jsoup may not sanitize Cross-Site Scripting (XSS) attempts if SafeList.preserveRelativeLinks is enabled

Severity Score

6.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including `javascript:` URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default `SafeList.preserveRelativeLinks` option is enabled, HTML including `javascript:` URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable `SafeList.preserveRelativeLinks`, which will rewrite input URLs as absolute URLs - ensure an appropriate [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.)

jsoup es un analizador HTML de Java, construido para la edición, limpieza y raspado de HTML, y para la seguridad de vulnerabilidades de tipo cross-site scripting (XSS). jsoup puede sanear incorrectamente el HTML que incluye expresiones URL "javascript:", lo que podría permitir ataques de tipo XSS cuando un lector hace clic posteriormente en ese enlace. Si la opción no predeterminada "SafeList.preserveRelativeLinks" está habilitada, el HTML que incluya expresiones URL "javascript:" que hayan sido diseñadas con caracteres de control no será saneado. Si el sitio en el que es publicado este HTML no establece una política de seguridad de contenidos, es posible un ataque de tipo XSS. Este problema ha sido corregido en jsoup versión 1.15.3. Los usuarios deberían actualizar a esta versión. Además, como es posible que la entrada no saneada haya sido mantenido, el contenido antiguo debe limpiarse de nuevo usando la versión actualizada. Para mitigar este problema sin tener que actualizar inmediatamente - deshabilite "SafeList.preserveRelativeLinks", que reescribirá las URLs de entrada como URLs absolutas - asegúrese de que es definido una [Política de Seguridad de Contenidos](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) apropiada. (Esto debería usarse independientemente de la actualización, como mejor práctica de defensa en profundidad)

A flaw was found in jsoup, a Java HTML parser built for HTML editing, cleaning, scraping, and Cross-site scripting (XSS) safety. An issue in jsoup may incorrectly sanitize HTML, including `javascript:` URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default `SafeList.preserveRelativeLinks` option is enabled, HTML, including `javascript:` URLs crafted with control characters, will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is possible.

*Credits: N/A

CVSS Scores

NISTv3.1 6.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-07-15 CVE Reserved
2022-08-29 CVE Published
2024-03-21 EPSS Updated
2024-08-03 CVE Updated
2024-08-03 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-87: Improper Neutralization of Alternate XSS Syntax

CAPEC

References (6)

URL	Tag	Source
https://github.com/jhy/jsoup/releases/tag/jsoup-1.15.3	Release Notes
https://security.netapp.com/advisory/ntap-20221104-0006	Third Party Advisory

URL	Date	SRC
https://github.com/jhy/jsoup/security/advisories/GHSA-gp7f-rwcx-9369	2024-08-03

URL	Date	SRC

URL	Date	SRC
https://jsoup.org/news/release-1.15.3	2022-12-08
https://access.redhat.com/security/cve/CVE-2022-36033	2024-09-12
https://bugzilla.redhat.com/show_bug.cgi?id=2127078	2024-09-12

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Jsoup Search vendor "Jsoup"		Jsoup Search vendor "Jsoup" for product "Jsoup"				< 1.15.3 Search vendor "Jsoup" for product "Jsoup" and version " < 1.15.3"		-		Affected
Netapp Search vendor "Netapp"		Management Services For Element Software Search vendor "Netapp" for product "Management Services For Element Software"				-		-		Affected
Netapp Search vendor "Netapp"		Management Services For Netapp Hci Search vendor "Netapp" for product "Management Services For Netapp Hci"				-		-		Affected
Netapp Search vendor "Netapp"		Oncommand Workflow Automation Search vendor "Netapp" for product "Oncommand Workflow Automation"				-		-		Affected