Vulnerability CVE-2021-37714

Vulnerability Name:

CVE-2021-37714 (CCN-207858)

Assigned:

2021-08-17

Published:

2021-08-17

Updated:

2022-12-07

Summary:

jsoup is vulnerable to a denial of service, caused by improper input validation. By sending a specially-crafted input, a remote attacker could exploit this vulnerability to cause the HTML and XML parser to get stuck, timeout, or throw unchecked exceptions resulting in a denial of service condition.

CVSS v3 Severity:

7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Complete

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2021-37714

Source: XF
Type: UNKNOWN
jsoup-cve202137714-dos(207858)

Source: CCN
Type: jsoup GIT Repository
Crafted input may cause the jsoup HTML and XML parser to get stuck, timeout, or throw unchecked exceptions

Source: security-advisories@github.com
Type: Third Party Advisory
security-advisories@github.com

Source: security-advisories@github.com
Type: Release Notes, Vendor Advisory
security-advisories@github.com

Source: security-advisories@github.com
Type: Release Notes, Vendor Advisory
security-advisories@github.com

Source: security-advisories@github.com
Type: Mailing List, Third Party Advisory
security-advisories@github.com

Source: security-advisories@github.com
Type: Mailing List, Third Party Advisory
security-advisories@github.com

Source: security-advisories@github.com
Type: Mailing List, Third Party Advisory
security-advisories@github.com

Source: security-advisories@github.com
Type: Mailing List, Third Party Advisory
security-advisories@github.com

Source: security-advisories@github.com
Type: Mailing List, Third Party Advisory
security-advisories@github.com

Source: security-advisories@github.com
Type: Mailing List, Third Party Advisory
security-advisories@github.com

Source: security-advisories@github.com
Type: Mailing List, Third Party Advisory
security-advisories@github.com

Source: security-advisories@github.com
Type: Third Party Advisory
security-advisories@github.com

Source: CCN
Type: IBM Security Bulletin 6492219 (Watson Discovery)
IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in jsoup

Source: CCN
Type: IBM Security Bulletin 6519468 (Curam Social Program Management)
Vulnerability in jsoup may affect Curam Social Program Management (CVE-2021-37714)

Source: CCN
Type: IBM Security Bulletin 6523988 (BPM Process Designer)
A CVE-2021-37714 vulnerability in jsoup affects IBM Process Designer in IBM Business Automation Workflow and IBM Business Process Manager

Source: CCN
Type: IBM Security Bulletin 6551876 (Cloud Pak for Security)
Cloud Pak for Security uses packages that are vulnerable to multiple CVEs

Source: CCN
Type: IBM Security Bulletin 6570915 (Data Risk Manager)
IBM Data Risk Manager is affected by multiple vulnerabilities including a remote code execution in Spring Framework (CVE-2022-22965)

Source: CCN
Type: IBM Security Bulletin 6570957 (Cognos Analytics)
IBM Cognos Analytics has addressed multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6573003 (Security Guardium)
IBM Security Guardium is affected by a jsoup vulnerability (CVE-2021-37714)

Source: CCN
Type: Oracle CPUApr2022
Oracle Critical Patch Update Advisory - April 2022

Source: security-advisories@github.com
Type: Patch, Third Party Advisory
security-advisories@github.com

Source: CCN
Type: Oracle CPUJan2022
Oracle Critical Patch Update Advisory - January 2022

Source: security-advisories@github.com
Type: Patch, Third Party Advisory
security-advisories@github.com

Source: CCN
Type: Oracle CPUJul2022
Oracle Critical Patch Update Advisory - July 2022

Source: security-advisories@github.com
Type: Patch, Third Party Advisory
security-advisories@github.com

Vulnerable Configuration:

Configuration CCN 1:

cpe:/a:jsoup:jsoup:1.14.1:*:*:*:*:*:*:*

AND

cpe:/a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:business_automation_workflow:18.0.0.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:watson_discovery:2.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:security_guardium:11.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:security_guardium:11.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:security_guardium:11.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:watson_discovery:2.2.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:security_guardium:11.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:business_automation_workflow:21.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_security:1.7.2.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:cognos_analytics:11.2.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:cognos_analytics:11.1.7:-:*:*:*:*:*:*

OR cpe:/a:ibm:curam_social_program_management:8.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:security_guardium:11.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:cognos_analytics:11.2.1:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:8025	P	jsoup-1.15.3-150200.3.11.1 on GA media (Moderate)	2023-06-20
oval:org.opensuse.security:def:8026	P	jsr-305-3.0.2-150200.3.7.5 on GA media (Moderate)	2023-06-20
oval:org.opensuse.security:def:3396	P	w3m-0.5.3.git20161120-161.3.4 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:95026	P	jsoup-1.14.2-150200.3.3.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:119181	P	Security update for jsoup, jsr-305 (Important)	2022-04-19
oval:org.opensuse.security:def:101836	P	Security update for jsoup, jsr-305 (Important)	2022-04-19
oval:org.opensuse.security:def:118684	P	Security update for jsoup, jsr-305 (Important)	2022-04-19
oval:org.opensuse.security:def:119371	P	Security update for jsoup, jsr-305 (Important)	2022-04-19
oval:org.opensuse.security:def:1158	P	Security update for jsoup, jsr-305 (Important)	2022-04-19
oval:org.opensuse.security:def:118874	P	Security update for jsoup, jsr-305 (Important)	2022-04-19
oval:org.opensuse.security:def:119556	P	Security update for jsoup, jsr-305 (Important)	2022-04-19
oval:org.opensuse.security:def:119064	P	Security update for jsoup, jsr-305 (Important)	2022-04-19
oval:org.opensuse.security:def:112480	P	jsoup-1.14.2-1.2 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:112481	P	jsr-305-3.0.2-1.2 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:105977	P	jsoup-1.14.2-1.2 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:105978	P	jsr-305-3.0.2-1.2 on GA media (Moderate)	2021-10-01

BACK