Bug#1018931: jsoup: CVE-2022-36033: The jsoup cleaner may incorrectly sanitize crafted XSS attempts if SafeList.preserveRelativeLinks is enabled
Salvatore Bonaccorso
carnil at debian.org
Fri Sep 2 07:42:21 BST 2022
Source: jsoup
Version: 1.15.2-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for jsoup.
CVE-2022-36033[0]:
| jsoup is a Java HTML parser, built for HTML editing, cleaning,
| scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly
| sanitize HTML including `javascript:` URL expressions, which could
| allow XSS attacks when a reader subsequently clicks that link. If the
| non-default `SafeList.preserveRelativeLinks` option is enabled, HTML
| including `javascript:` URLs that have been crafted with control
| characters will not be sanitized. If the site that this HTML is
| published on does not set a Content Security Policy, an XSS attack is
| then possible. This issue is patched in jsoup 1.15.3. Users should
| upgrade to this version. Additionally, as the unsanitized input may
| have been persisted, old content should be cleaned again using the
| updated version. To remediate this issue without immediately
| upgrading: - disable `SafeList.preserveRelativeLinks`, which will
| rewrite input URLs as absolute URLs - ensure an appropriate [Content
| Security Policy](https://developer.mozilla.org/en-
| US/docs/Web/HTTP/CSP) is defined. (This should be used regardless of
| upgrading, as a defence-in-depth best practice.)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-36033
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36033
[1] https://github.com/jhy/jsoup/security/advisories/GHSA-gp7f-rwcx-9369
[2] https://github.com/jhy/jsoup/commit/4ea768d96b3d232e63edef9594766d44597b3882
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list