Bug 2127078 (CVE-2022-36033)

Summary: CVE-2022-36033 jsoup: The jsoup cleaner may incorrectly sanitize crafted XSS attempts if SafeList.preserveRelativeLinks is enabled
Product: [Other] Security Response Reporter: Sandipan Roy <saroy>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: asoldano, bbaranow, bbuckingham, bcourt, bmaxwell, brian.stansberry, cdewolf, chazlett, darran.lofthouse, dkreling, dosoudil, ehelms, extras-orphan, fjuma, hhorak, iweiss, jaromir.capik, java-sig-commits, jochrist, jorton, jsherril, jwon, lgao, lzap, mhulan, mizdebsk, mkoncek, mmccune, mosmerov, msochure, msvehla, nmoumoul, nwallace, orabin, pcreech, pjindal, pmackay, rchan, rstancel, smaestri, tom.jenkinson
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in jsoup, a Java HTML parser built for HTML editing, cleaning, scraping, and Cross-site scripting (XSS) safety. An issue in jsoup may incorrectly sanitize HTML, including `javascript:` URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default `SafeList.preserveRelativeLinks` option is enabled, HTML, including `javascript:` URLs crafted with control characters, will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is possible.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2127080, 2127081, 2127082, 2127083, 2127084, 2127085, 2127086, 2127087    
Bug Blocks: 2122630    

Description Sandipan Roy 2022-09-15 09:57:35 UTC 
jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including `javascript:` URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default `SafeList.preserveRelativeLinks` option is enabled, HTML including `javascript:` URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable `SafeList.preserveRelativeLinks`, which will rewrite input URLs as absolute URLs - ensure an appropriate [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.)

https://github.com/jhy/jsoup/security/advisories/GHSA-gp7f-rwcx-9369
https://github.com/jhy/jsoup/releases/tag/jsoup-1.15.3
https://jsoup.org/news/release-1.15.3
Comment 1 Sandipan Roy 2022-09-15 10:02:12 UTC 
Created javapackages-bootstrap tracking bugs for this issue:

Affects: fedora-all [bug 2127081]


Created jsoup tracking bugs for this issue:

Affects: fedora-all [bug 2127082]