CVE-2022-36033
jsoup may not sanitize Cross-Site Scripting (XSS) attempts if SafeList.preserveRelativeLinks is enabled
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including `javascript:` URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default `SafeList.preserveRelativeLinks` option is enabled, HTML including `javascript:` URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable `SafeList.preserveRelativeLinks`, which will rewrite input URLs as absolute URLs - ensure an appropriate [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.)
jsoup es un analizador HTML de Java, construido para la edición, limpieza y raspado de HTML, y para la seguridad de vulnerabilidades de tipo cross-site scripting (XSS). jsoup puede sanear incorrectamente el HTML que incluye expresiones URL "javascript:", lo que podría permitir ataques de tipo XSS cuando un lector hace clic posteriormente en ese enlace. Si la opción no predeterminada "SafeList.preserveRelativeLinks" está habilitada, el HTML que incluya expresiones URL "javascript:" que hayan sido diseñadas con caracteres de control no será saneado. Si el sitio en el que es publicado este HTML no establece una política de seguridad de contenidos, es posible un ataque de tipo XSS. Este problema ha sido corregido en jsoup versión 1.15.3. Los usuarios deberían actualizar a esta versión. Además, como es posible que la entrada no saneada haya sido mantenido, el contenido antiguo debe limpiarse de nuevo usando la versión actualizada. Para mitigar este problema sin tener que actualizar inmediatamente - deshabilite "SafeList.preserveRelativeLinks", que reescribirá las URLs de entrada como URLs absolutas - asegúrese de que es definido una [Política de Seguridad de Contenidos](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) apropiada. (Esto debería usarse independientemente de la actualización, como mejor práctica de defensa en profundidad)
A flaw was found in jsoup, a Java HTML parser built for HTML editing, cleaning, scraping, and Cross-site scripting (XSS) safety. An issue in jsoup may incorrectly sanitize HTML, including `javascript:` URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default `SafeList.preserveRelativeLinks` option is enabled, HTML, including `javascript:` URLs crafted with control characters, will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is possible.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-07-15 CVE Reserved
- 2022-08-29 CVE Published
- 2024-03-21 EPSS Updated
- 2024-08-03 CVE Updated
- 2024-08-03 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CWE-87: Improper Neutralization of Alternate XSS Syntax
CAPEC
References (6)
URL | Tag | Source |
---|---|---|
https://github.com/jhy/jsoup/releases/tag/jsoup-1.15.3 | Release Notes | |
https://security.netapp.com/advisory/ntap-20221104-0006 | Third Party Advisory |
URL | Date | SRC |
---|---|---|
https://github.com/jhy/jsoup/security/advisories/GHSA-gp7f-rwcx-9369 | 2024-08-03 |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://jsoup.org/news/release-1.15.3 | 2022-12-08 | |
https://access.redhat.com/security/cve/CVE-2022-36033 | 2024-10-14 | |
https://bugzilla.redhat.com/show_bug.cgi?id=2127078 | 2024-10-14 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Jsoup Search vendor "Jsoup" | Jsoup Search vendor "Jsoup" for product "Jsoup" | < 1.15.3 Search vendor "Jsoup" for product "Jsoup" and version " < 1.15.3" | - |
Affected
| ||||||
Netapp Search vendor "Netapp" | Management Services For Element Software Search vendor "Netapp" for product "Management Services For Element Software" | - | - |
Affected
| ||||||
Netapp Search vendor "Netapp" | Management Services For Netapp Hci Search vendor "Netapp" for product "Management Services For Netapp Hci" | - | - |
Affected
| ||||||
Netapp Search vendor "Netapp" | Oncommand Workflow Automation Search vendor "Netapp" for product "Oncommand Workflow Automation" | - | - |
Affected
|