CVE-2022-36033
August 29, 2022
jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including "javascript:" URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default "SafeList.preserveRelativeLinks" option is enabled, HTML including "javascript:" URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable "SafeList.preserveRelativeLinks", which will rewrite input URLs as absolute URLs - ensure an appropriate "Content Security Policy" (https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.)
Affected Packages
org.jsoup:jsoup (JAVA):
Affected version(s) >=0.2.1b <1.15.3Fix Suggestion:
Update to version 1.15.3Additional Notes
The description of this vulnerability differs from MITRE.
Related ResourcesĀ (10)
Do you need more information?
Contact UsCVSS v4
Base Score:
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
PASSIVE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
LOW
Subsequent System Integrity
LOW
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.1
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
EPSS
Base Score:
1.64
