7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-37714

GHSA ID

GHSA-m72m-mhq2-9p6c

EPSS Score

0.6523%

CWE

CWE-248

Published

8/23/2021

Updated

1/27/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-37714

CVE-2021-37714: Uncaught Exception in jsoup

Impact

What kind of vulnerability is it? Who is impacted? Those using jsoup to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack.

Patches

Has the problem been patched? What versions should users upgrade to? Users should upgrade to jsoup 1.14.2

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading? Users may rate limit input parsing. Users should limit the size of inputs based on system resources. Users should implement thread watchdogs to cap and timeout parse runtimes.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-37714

GHSA ID

GHSA-m72m-mhq2-9p6c

EPSS Score

0.6523%

CWE

CWE-248

Published

8/23/2021

Updated

1/27/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jsoup:jsoup	maven	< 1.14.2	1.14.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability manifests in HTML/XML parsing logic where: (1) The adoption agency algorithm (resetInsertionMode) could enter infinite loops with crafted input (CWE-835), (2) Attribute parsing functions lacked bounds checks leading to performance degradation (CWE-400), and (3) Active formatting element handling allowed amplification attacks. These conclusions are supported by explicit references to these components in the 1.14.2 release notes and CWE mappings.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t _W**t kin* o* vuln*r**ility is it? W*o is imp**t**?_ T*os* usin* jsoup to p*rs* untrust** *TML or XML m*y ** vuln*r**l* to *OS *tt**ks. I* t** p*rs*r is run on us*r suppli** input, *n *tt**k*r m*y supply *ont*nt t**t **us*s t** p*rs*r to *

Reasoning

T** vuln*r**ility m*ni**sts in *TML/XML p*rsin* lo*i* w**r*: (*) T** **option ***n*y *l*orit*m (`r*s*tIns*rtionMo**`) *oul* *nt*r in*init* loops wit* *r**t** input (*W*-***), (*) *ttri*ut* p*rsin* *un*tions l**k** *oun*s ****ks l***in* to p*r*orm*n**

7.5

Basic Information

Concerned about an active attack path?

CVE-2021-37714: Uncaught Exception in jsoup

Impact

Patches

Workarounds

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI