Find, fix and prevent vulnerabilities in your code.

Overview

org.yaml:snakeyaml is a YAML 1.1 parser and emitter for Java.

Affected versions of this package are vulnerable to Arbitrary Code Execution in the Constructor class, which does not restrict which types can be deserialized. This vulnerability is exploitable by an attacker who provides a malicious YAML file for deserialization, which circumvents the SafeConstructor class.

The maintainers of the library contend that the application's trust would already have had to be compromised or established and therefore dispute the risk associated with this issue on the basis that there is a high bar for exploitation.

Remediation

Upgrade org.yaml:snakeyaml to version 2.0 or higher.

References

• BitBucket Changelog
• Bitbucket Commit
• Bitbucket Issue
• BitBucket Issue
• BitBucket PR
• BitBucket PR
• PoC
• Snyk Blog - Technical Deepdive
• Vulnerable Class

Overview

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may allow a denial of service attack if combined with another exploit.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java Messaging System (JMS), Action Message Format (AMF), Java Server Faces (JSF) ViewState, etc.

Deserialization of untrusted data (CWE-502), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.

Java deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a popular library (Apache Commons Collection). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.

An attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.

Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).

Remediation

Upgrade com.google.code.gson:gson to version 2.8.9 or higher.

References

• GitHub Commit Introducing Vulnerable Method
• GitHub Fix Commit
• GitHub PR

Overview

org.apache.commons:commons-compress is an API for working with compression and archive formats.

Affected versions of this package are vulnerable to Denial of Service (DoS). When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out-of-memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade org.apache.commons:commons-compress to version 1.21 or higher.

References

• Apache Security Advisory
• Apache Security Advisory
• Git Commit
• Git Commit
• Git Commit
• Git Commit
• Git Commit
• Git Commit
• Git Commit
• GitHub Commit
• Jira Issue

Overview

org.apache.commons:commons-compress is an API for working with compression and archive formats.

Affected versions of this package are vulnerable to Denial of Service (DoS). When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade org.apache.commons:commons-compress to version 1.21 or higher.

References

• Apache Security Advisory
• Apache Security Advisory
• Git Commit

Overview

org.apache.commons:commons-compress is an API for working with compression and archive formats.

Affected versions of this package are vulnerable to Denial of Service (DoS). When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out-of-memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade org.apache.commons:commons-compress to version 1.21 or higher.

References

• Apache Security Advisory
• Apache Security Advisory
• Git Commit
• Git Commit
• Git Commit

Overview

org.bouncycastle:bcprov-ext-jdk15on is a Java implementation of cryptographic algorithms.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the ASN1ObjectIdentifier. An attacker can cause excessive resource consumption by submitting specially crafted ASN.1 Object Identifiers, potentially leading to service disruption.

Note: This issue only applies to applications which do consume unvetted, or otherwise unvalidated, ASN.1 encodings.

Remediation

A fix was pushed into the master branch but not yet published.

References

• GitHub Commit
• GitHub Wiki

Overview

org.bouncycastle:bcprov-ext-jdk15on is a Java implementation of cryptographic algorithms.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to improper processing of large name constraint structures in PKIXCertPathReviewer. An attacker can cause excessive resource allocation by submitting specially crafted ASN.1 objects, potentially leading to service disruption.

Workaround

This vulnerability can be mitigated by limiting the size of ASN.1 objects that can be loaded from untrusted sources, thereby capping the maximum size of a Name Constraints structure.

Remediation

A fix was pushed into the master branch but not yet published.

References

• GitHub Commit
• GitHub Commit
• GitHub Wiki

Overview

org.bouncycastle:bcprov-jdk15on is a Java implementation of cryptographic algorithms.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the ASN1ObjectIdentifier. An attacker can cause excessive resource consumption by submitting specially crafted ASN.1 Object Identifiers, potentially leading to service disruption.

Note: This issue only applies to applications which do consume unvetted, or otherwise unvalidated, ASN.1 encodings.

Remediation

A fix was pushed into the master branch but not yet published.

References

• GitHub Commit
• GitHub Wiki

Overview

org.bouncycastle:bcprov-jdk15on is a Java implementation of cryptographic algorithms.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to improper processing of large name constraint structures in PKIXCertPathReviewer. An attacker can cause excessive resource allocation by submitting specially crafted ASN.1 objects, potentially leading to service disruption.

Workaround

This vulnerability can be mitigated by limiting the size of ASN.1 objects that can be loaded from untrusted sources, thereby capping the maximum size of a Name Constraints structure.

Remediation

A fix was pushed into the master branch but not yet published.

References

• GitHub Commit
• GitHub Commit
• GitHub Wiki

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Denial of Service (DoS) when using JDK serialization to serialize and deserialize JsonNode values. It is possible for the attacker to send a 4-byte length payload, with a value of Integer.MAX_VALUE , that will eventually cause large buffer allocation and out of heap memory.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.13.1, 2.12.6 or higher.

References

• GitHub Commit
• GitHub Issue

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Denial of Service (DoS) in the _deserializeFromArray() function in BeanDeserializer, due to resource exhaustion when processing a deeply nested array.

NOTE: For this vulnerability to be exploitable the non-default DeserializationFeature must be enabled.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.12.7.1, 2.13.4 or higher.

References

• Chromium Bugs
• GitHub Commit
• GitHub Commit
• GitHub Issue

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Denial of Service (DoS) in the _deserializeWrappedValue() function in StdDeserializer.java, due to resource exhaustion when processing deeply nested arrays.

NOTE: This vulnerability is only exploitable when the non-default UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.12.7.1, 2.13.4.1 or higher.

References

• Chromium Bugs
• Documentation
• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Issue

Overview

Affected versions of this package are vulnerable to Denial of Service (DoS) due to improper exception handling by the GzipSource class when parsing a malformed gzip buffer.

This vulnerability can be exploited on the Okio client when handling a crafted GZIP archive.

PoC

val gzBuf: Buffer = Buffer()
    try {
        val gzByteString: ByteString = ("1f8b41ff424242424343ffff").decodeHex()
        gzBuf.write(gzByteString)
        val gz: GzipSource = GzipSource(gzBuf)
        val sinkBuf: Buffer = Buffer()
        gz.read(sinkBuf, 5)
    }
    catch(e: IOException) {
        println("got error: " + e.toString())
    }

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade com.squareup.okio:okio to version 1.17.6, 3.4.0 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Issue
• GitHub PR

Overview

org.bitbucket.b_c:jose4j is a robust and easy to use open source implementation of JSON Web Token (JWT) and the JOSE specification suite (JWS, JWE, and JWK). It is written in Java and relies solely on the JCA APIs for cryptography. Please see https://bitbucket.org/b_c/jose4j/wiki/Home for more info, examples, etc...

Affected versions of this package are vulnerable to Inadequate Encryption Strength through the iteration count setting, which can reduce the computational effort required to crack the encryption if it is set to a low value.

Remediation

Upgrade org.bitbucket.b_c:jose4j to version 0.9.3 or higher.

References

• Bitbucket Commit
• Bitbucket Issue
• Vulnerability Report

Overview

org.bouncycastle:bcprov-jdk15on is a Java implementation of cryptographic algorithms.

Affected versions of this package are vulnerable to Observable Discrepancy due to the timing difference between exceptions thrown when processing RSA key exchange handshakes, AKA Marvin.

Note: The implemented fix mitigates the leakage of data via the PKCS#1 interface, but does not fully alleviate the side-channel as it allows cases in which the padding check fails but the handshake succeeds.

Remediation

There is no fixed version for org.bouncycastle:bcprov-jdk15on.

References

• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Issue
• Vulnerability Report

Overview

com.google.protobuf:protobuf-java is a Google's language-neutral, platform-neutral, extensible mechanism for serializing structured data.

Affected versions of this package are vulnerable to Denial of Service (DoS) via the parsing procedure for binary and text format data. Input streams containing multiple instances of non-repeated embedded messages with repeated or unknown fields cause objects to be converted back and forth between mutable and immutable forms, resulting in potentially long garbage collection pauses.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade com.google.protobuf:protobuf-java to version 3.16.3, 3.19.6, 3.20.3, 3.21.7 or higher.

References

• Chromium Bugs
• GitHub Commit
• GitHub PR
• GitHub Release
• GitHub Release
• GitHub Release
• GitHub Release

Overview

org.bouncycastle:bcprov-ext-jdk15on is a Java implementation of cryptographic algorithms.

Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') within the org.bouncycastle.openssl.PEMParser class. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError.

Workaround

The attack can be avoided by filtering PEM requests containing EXTERNAL tagged encodings.

Remediation

There is no fixed version for org.bouncycastle:bcprov-ext-jdk15on.

References

• GitHub Commit
• GitHub Commit
• GitHub Wiki

Overview

org.bouncycastle:bcprov-jdk15on is a Java implementation of cryptographic algorithms.

Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') within the org.bouncycastle.openssl.PEMParser class. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError.

Workaround

The attack can be avoided by filtering PEM requests containing EXTERNAL tagged encodings.

Remediation

There is no fixed version for org.bouncycastle:bcprov-jdk15on.

References

• GitHub Commit
• GitHub Commit
• GitHub Wiki

Overview

org.bouncycastle:bcprov-jdk15on is a Java implementation of cryptographic algorithms.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the solveQuadraticEquation() function used for certificate verification in ECCurve.java. Passing a large f2m parameter can cause excessive CPU consumption.

Remediation

There is no fixed version for org.bouncycastle:bcprov-jdk15on.

References

• GitHub Commit
• GitHub Commit

Overview

com.fasterxml.jackson.core:jackson-core is a Core Jackson abstractions, basic JSON streaming API implementation

Affected versions of this package are vulnerable to Information Exposure due to the JsonLocation._appendSourceDesc method. An attacker can access up to 500 bytes of unintended memory content by exploiting exception messages that incorrectly read from the beginning of a byte array instead of the logical payload start.

Workaround

This vulnerability can be mitigated by disabling exception message exposure to clients to avoid returning parsing exception messages in HTTP responses and/or disabling source inclusion in exceptions to prevent Jackson from embedding any source content in exception messages, avoiding leakage.

PoC

byte[] buffer = new byte[1000];
System.arraycopy("SECRET".getBytes(), 0, buffer, 0, 6);
System.arraycopy("{ \"bad\": }".getBytes(), 0, buffer, 700, 10);

JsonFactory factory = new JsonFactory();
JsonParser parser = factory.createParser(buffer, 700, 20);
parser.nextToken(); // throws exception

// Exception message will include "SECRET"

Remediation

Upgrade com.fasterxml.jackson.core:jackson-core to version 2.13.0-rc1 or higher.

References

• GitHub Commit
• GitHub PR

Overview

com.squareup.okhttp3:okhttp is a HTTP & HTTP/2 client for Android and Java applications

Affected versions of this package are vulnerable to Information Exposure. When there's an illegal character in a header value, an IllegalArgumentException is thrown whose message includes the full header value.

PoC

package com.launchdarkly.eventsource;

import okhttp3.*;
import org.junit.Test;
import static org.hamcrest.MatcherAssert.*;
import static org.hamcrest.Matchers.*;

public class OkhttpHeaderExceptionTest {
  @Test
  public void invalidHeaderValueIsCapturedInException() throws Exception {
    String password = "very-secret-password";
    String badValue = password + "\n";
    
    try {
      Request req = new Request.Builder().url("http://github.com/path/doesnt/matter")
          .header("Authorization", badValue)
          .build();
    } catch (IllegalArgumentException e) {
      assertThat(e.getMessage(), not(containsString(password)));
    }
  }
}

Remediation

Upgrade com.squareup.okhttp3:okhttp to version 4.9.2 or higher.

References

• GitHub Commit
• GitHub Issue
• RedHat Bugzilla Bug

Overview

org.bouncycastle:bcprov-ext-jdk15on is a Java implementation of cryptographic algorithms.

Affected versions of this package are vulnerable to Cryptographic Issues via weak key-hash message authentication code (HMAC) that is only 16 bits long which can result in hash collisions, as a result of an error within the BKS version 1 keystore (BKS-V1) files and could lead to an attacker being able to affect the integrity of these files. This vulnerability was introduced following an incomplete fix for CVE-2018-5382.

Remediation

Upgrade org.bouncycastle:bcprov-ext-jdk15on to version 1.69 or higher.

References

• GitHub Commit
• GitHub Issue
• GitHub Issue
• PoC

Overview

org.bouncycastle:bcprov-jdk15on is a Java implementation of cryptographic algorithms.

Affected versions of this package are vulnerable to Cryptographic Issues via weak key-hash message authentication code (HMAC) that is only 16 bits long which can result in hash collisions, as a result of an error within the BKS version 1 keystore (BKS-V1) files and could lead to an attacker being able to affect the integrity of these files. This vulnerability was introduced following an incomplete fix for CVE-2018-5382.

Remediation

Upgrade org.bouncycastle:bcprov-jdk15on to version 1.69 or higher.

References

• GitHub Commit
• GitHub Issue
• GitHub Issue
• PoC

Overview

org.bouncycastle:bcprov-jdk15on is a Java implementation of cryptographic algorithms.

Affected versions of this package are vulnerable to Information Exposure due to missing validation for the X.500 name of any certificate, subject, or issuer. The presence of a wild card may lead to information disclosure. This could allow a malicious user to obtain unauthorized information via blind LDAP Injection, exploring the environment and enumerating data.

Note:

The exploit depends on the structure of the target LDAP directory as well as what kind of errors are exposed to the user.

Remediation

A fix was pushed into the master branch but not yet published.

References

• GitHub Commit
• GitHub Wiki
• RedHat Bugzilla Bug

Overview

org.yaml:snakeyaml is a YAML 1.1 parser and emitter for Java.

Affected versions of this package are vulnerable to Stack-based Buffer Overflow when parsing crafted untrusted YAML files, which can lead to a denial-of-service.

Remediation

Upgrade org.yaml:snakeyaml to version 1.31 or higher.

References

• Bitbucket Commit
• Bitbucket Issue
• Chromium Bugs

Overview

org.jsoup:jsoup is a Java library for working with real-world HTML. It provides a very convenient API for extracting and manipulating data, using the best of DOM, CSS, and jquery-like methods. jsoup implements the WHATWG HTML5 specification, and parses HTML to the same DOM as modern browsers do.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper sanitization of HTML including javascript: URL expressions if the non-default SafeList.preserveRelativeLinks option is enabled and no Content Security Policy is set on the website.

Note: Users that are upgrading to the fixed version should also clean old content again because unsanitized input may have persisted.

Mitigation

Users unable to upgrade to the fixed version should disable the SafeList.preserveRelativeLinks option, which will rewrite input URLs as absolute URLs and ensure an appropriate Content Security Policy is defined. It could be also used should as a defense-in-depth best practice.

Details

Cross-site scripting (or XSS) is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website. The injected script gets downloaded and executed by the end user’s browser when the user interacts with the compromised website.

This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

Types of attacks

There are a few methods by which XSS can be manipulated:

Affected environments

The following environments are susceptible to an XSS attack:

• Web servers
• Application servers
• Web application environments

How to prevent

This section describes the top best practices designed to specifically protect your code:

• Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
• Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
• Give users the option to disable client-side scripts.
• Redirect invalid requests.
• Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
• Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
• Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.

Remediation

Upgrade org.jsoup:jsoup to version 1.15.3 or higher.

References

• GitHub Commit
• GitHub Release

LGPL-2.0 license

EPL-1.0 license

EPL-1.0 license