7.5
CVE-2021-37714
- EPSS 0.59%
- Published 18.08.2021 15:15:08
- Last modified 21.11.2024 06:15:46
- Source security-advisories@github.com
- Teams watchlist Login
- Open Login
jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.
Data is provided by the National Vulnerability Database (NVD)
Oracle ≫ Banking Trade Finance Version14.5
Oracle ≫ Banking Treasury Management Version14.5
Oracle ≫ Business Process Management Suite Version12.2.1.3.0
Oracle ≫ Business Process Management Suite Version12.2.1.4.0
Oracle ≫ Flexcube Universal Banking Version >= 14.0.0 <= 14.3.0
Oracle ≫ Flexcube Universal Banking Version14.5
Oracle ≫ Hospitality Token Proxy Service Version19.2
Oracle ≫ Peoplesoft Enterprise Peopletools Version8.58
Oracle ≫ Peoplesoft Enterprise Peopletools Version8.59
Oracle ≫ Primavera Unifier Version20.12
Oracle ≫ Primavera Unifier Version21.12
Oracle ≫ Retail Customer Management And Segmentation Foundation Version >= 17.0 <= 19.0
Oracle ≫ Webcenter Portal Version12.2.1.3.0
Oracle ≫ Webcenter Portal Version12.2.1.4.0
Oracle ≫ Communications Messaging Server Version8.1
Oracle ≫ Financial Services Crime And Compliance Management Studio Version8.0.8.2.0
Oracle ≫ Financial Services Crime And Compliance Management Studio Version8.0.8.3.0
Oracle ≫ Middleware Common Libraries And Tools Version12.2.1.3.0
Oracle ≫ Middleware Common Libraries And Tools Version12.2.1.4.0
Oracle ≫ Stream Analytics Version < 19.1.0.0.6.4
Oracle ≫ Stream Analytics Version19c
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.59% | 0.683 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
| nvd@nist.gov | 5 | 10 | 2.9 |
AV:N/AC:L/Au:N/C:N/I:N/A:P
|
| security-advisories@github.com | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
CWE-248 Uncaught Exception
An exception is thrown from a function, but it is not caught.
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.