Bug 2127078 (CVE-2022-36033) - CVE-2022-36033 jsoup: The jsoup cleaner may incorrectly sanitize crafted XSS attempts if SafeList.preserveRelativeLinks is enabled
Summary: CVE-2022-36033 jsoup: The jsoup cleaner may incorrectly sanitize crafted XSS ...
Keywords:
Status: NEW
Alias: CVE-2022-36033
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2127080 2127081 2127082 2127083 2127084 2127085 2127086 2127087
Blocks: 2122630
TreeView+ depends on / blocked
 
Reported: 2022-09-15 09:57 UTC by Sandipan Roy
Modified: 2025-05-06 08:28 UTC (History)
132 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:8075 0 None None None 2024-10-14 18:00:37 UTC
Red Hat Product Errata RHSA-2024:8076 0 None None None 2024-10-14 17:59:52 UTC
Red Hat Product Errata RHSA-2024:8077 0 None None None 2024-10-14 17:59:14 UTC
Red Hat Product Errata RHSA-2024:8080 0 None None None 2024-10-14 18:07:13 UTC

Description Sandipan Roy 2022-09-15 09:57:35 UTC 
jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including `javascript:` URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default `SafeList.preserveRelativeLinks` option is enabled, HTML including `javascript:` URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable `SafeList.preserveRelativeLinks`, which will rewrite input URLs as absolute URLs - ensure an appropriate [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.)

https://github.com/jhy/jsoup/security/advisories/GHSA-gp7f-rwcx-9369
https://github.com/jhy/jsoup/releases/tag/jsoup-1.15.3
https://jsoup.org/news/release-1.15.3
Comment 1 Sandipan Roy 2022-09-15 10:02:12 UTC 
Created javapackages-bootstrap tracking bugs for this issue:

Affects: fedora-all [bug 2127081]


Created jsoup tracking bugs for this issue:

Affects: fedora-all [bug 2127082]
Comment 8 errata-xmlrpc 2024-10-14 17:59:06 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9

Via RHSA-2024:8077 https://access.redhat.com/errata/RHSA-2024:8077
Comment 9 errata-xmlrpc 2024-10-14 17:59:45 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2024:8076 https://access.redhat.com/errata/RHSA-2024:8076
Comment 10 errata-xmlrpc 2024-10-14 18:00:29 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2024:8075 https://access.redhat.com/errata/RHSA-2024:8075
Comment 11 errata-xmlrpc 2024-10-14 18:07:07 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2024:8080 https://access.redhat.com/errata/RHSA-2024:8080
Note You need to log in before you can comment on or make changes to this bug.