Bug 2127078 (CVE-2022-36033) - CVE-2022-36033 jsoup: The jsoup cleaner may incorrectly sanitize crafted XSS attempts if SafeList.preserveRelativeLinks is enabled
Summary: CVE-2022-36033 jsoup: The jsoup cleaner may incorrectly sanitize crafted XSS ...
Keywords:
Status: NEW
Alias: CVE-2022-36033
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2127080 2127081 2127082 2127083 2127084 2127085 2127086 2127087
Blocks: 2122630
TreeView+ depends on / blocked
 
Reported: 2022-09-15 09:57 UTC by Sandipan Roy
Modified: 2024-07-22 09:20 UTC (History)
137 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in jsoup, a Java HTML parser built for HTML editing, cleaning, scraping, and Cross-site scripting (XSS) safety. An issue in jsoup may incorrectly sanitize HTML, including `javascript:` URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default `SafeList.preserveRelativeLinks` option is enabled, HTML, including `javascript:` URLs crafted with control characters, will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is possible.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Sandipan Roy 2022-09-15 09:57:35 UTC
jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including `javascript:` URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default `SafeList.preserveRelativeLinks` option is enabled, HTML including `javascript:` URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable `SafeList.preserveRelativeLinks`, which will rewrite input URLs as absolute URLs - ensure an appropriate [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.)

https://github.com/jhy/jsoup/security/advisories/GHSA-gp7f-rwcx-9369
https://github.com/jhy/jsoup/releases/tag/jsoup-1.15.3
https://jsoup.org/news/release-1.15.3

Comment 1 Sandipan Roy 2022-09-15 10:02:12 UTC
Created javapackages-bootstrap tracking bugs for this issue:

Affects: fedora-all [bug 2127081]


Created jsoup tracking bugs for this issue:

Affects: fedora-all [bug 2127082]


Note You need to log in before you can comment on or make changes to this bug.