CVE-2022-36033

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-36033

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-36033.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-36033

Aliases

GHSA-gp7f-rwcx-9369

Related

Published

2022-08-29T17:15:08Z

Modified

2024-09-18T03:21:01.864982Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including javascript: URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default SafeList.preserveRelativeLinks option is enabled, HTML including javascript: URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable SafeList.preserveRelativeLinks, which will rewrite input URLs as absolute URLs - ensure an appropriate Content Security Policy is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.)

References

Affected packages

Debian:11 / jsoup

Package

Name: jsoup
Purl: pkg:deb/debian/jsoup?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.10.2-2

1.13.1-1

1.14.2-1

1.14.3-1~bpo11+1

1.14.3-1

1.15.1-1

1.15.2-1

1.15.3-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / jsoup

Package

Name: jsoup
Purl: pkg:deb/debian/jsoup?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.15.3-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / jsoup

Package

Name: jsoup
Purl: pkg:deb/debian/jsoup?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.15.3-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/jhy/jsoup

Affected ranges

Type: GIT
Repo: https://github.com/jhy/jsoup
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

c5964172763e1495786ad584c368ac3346d0ca8c

Affected versions

1.*

1.12.2

jsoup-1.*

jsoup-1.10.1

jsoup-1.10.2

jsoup-1.10.3

jsoup-1.11.1

jsoup-1.11.2

jsoup-1.11.3

jsoup-1.12.1

jsoup-1.12.2

jsoup-1.13.1

jsoup-1.14.1

jsoup-1.14.2

jsoup-1.14.3

jsoup-1.15.1

jsoup-1.15.2

jsoup-1.6.2

jsoup-1.6.3

jsoup-1.7.1

jsoup-1.7.2

jsoup-1.7.3

jsoup-1.8.1.a

jsoup-1.8.2

jsoup-1.8.3

jsoup-1.8.3a

jsoup-1.9.1

jsoup-1.9.1a

jsoup-1.9.2