{"id":"CVE-2021-37714","details":"jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.","aliases":["GHSA-m72m-mhq2-9p6c"],"modified":"2026-05-18T05:55:15.759644570Z","published":"2021-08-18T15:15:08.023Z","related":["CGA-7f2j-6wfc-g6j8","SUSE-SU-2022:1265-1","openSUSE-SU-2024:10882-1","openSUSE-SU-2024:10883-1"],"database_specific":{"unresolved_ranges":[{"source":"CPE_FIELD","vendor_product":"oracle:banking_trade_finance","extracted_events":[{"last_affected":"14.5"}],"cpes":["cpe:2.3:a:oracle:banking_trade_finance:14.5:*:*:*:*:*:*:*"]},{"source":"CPE_FIELD","vendor_product":"oracle:banking_treasury_management","extracted_events":[{"last_affected":"14.5"}],"cpes":["cpe:2.3:a:oracle:banking_treasury_management:14.5:*:*:*:*:*:*:*"]},{"source":"CPE_FIELD","vendor_product":"oracle:business_process_management_suite","extracted_events":[{"last_affected":"12.2.1.3.0"},{"last_affected":"12.2.1.4.0"}],"cpes":["cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*"]},{"source":"CPE_FIELD","cpes":["cpe:2.3:o:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"8.1"}],"vendor_product":"oracle:communications_messaging_server"},{"source":"CPE_FIELD","cpes":["cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"8.0.8.2.0"},{"last_affected":"8.0.8.3.0"}],"vendor_product":"oracle:financial_services_crime_and_compliance_management_studio"},{"source":"CPE_FIELD","cpes":["cpe:2.3:a:oracle:flexcube_universal_banking:*:*:*:*:*:*:*:*","cpe:2.3:a:oracle:flexcube_universal_banking:14.5:*:*:*:*:*:*:*"],"extracted_events":[{"introduced":"14.0.0"},{"last_affected":"14.3.0"},{"last_affected":"14.5"}],"vendor_product":"oracle:flexcube_universal_banking"},{"source":"CPE_FIELD","cpes":["cpe:2.3:a:oracle:hospitality_token_proxy_service:19.2:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"19.2"}],"vendor_product":"oracle:hospitality_token_proxy_service"},{"source":"CPE_FIELD","cpes":["cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.3.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.4.0:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"12.2.1.3.0"},{"last_affected":"12.2.1.4.0"}],"vendor_product":"oracle:middleware_common_libraries_and_tools"},{"source":"CPE_FIELD","cpes":["cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*","cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"8.58"},{"last_affected":"8.59"}],"vendor_product":"oracle:peoplesoft_enterprise_peopletools"},{"source":"CPE_FIELD","cpes":["cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*","cpe:2.3:a:oracle:primavera_unifier:21.12:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"20.12"},{"last_affected":"21.12"}],"vendor_product":"oracle:primavera_unifier"},{"source":"CPE_FIELD","vendor_product":"oracle:retail_customer_management_and_segmentation_foundation","extracted_events":[{"introduced":"17.0"},{"last_affected":"19.0"}],"cpes":["cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:*:*:*:*:*:*:*:*"]},{"source":"CPE_FIELD","vendor_product":"oracle:stream_analytics","extracted_events":[{"fixed":"19.1.0.0.6.4"},{"last_affected":"19c"}],"cpes":["cpe:2.3:a:oracle:stream_analytics:*:*:*:*:*:*:*:*","cpe:2.3:a:oracle:stream_analytics:19c:*:*:*:*:*:*:*"]},{"source":"CPE_FIELD","cpes":["cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"12.2.1.3.0"},{"last_affected":"12.2.1.4.0"}],"vendor_product":"oracle:webcenter_portal"}]},"references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/r215009dbf7467a9f6506d0c0024cb36cad30071010e62c9352cfaaf0%40%3Cissues.maven.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r377b93d79817ce649e9e68b3456e6f499747ef1643fa987b342e082e%40%3Cissues.maven.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r3d71f18adb78e50f626dde689161ca63d3b7491bd9718fcddfaecba7%40%3Cissues.maven.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r50e9c9466c592ca9d707a5dea549524d19e3287da08d8392f643960e%40%3Cissues.maven.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r685c5235235ad0c26e86d0ee987fb802c9675de6081dbf0516464e0b%40%3Cnotifications.james.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r97404676a5cf591988faedb887d64e278f522adcaa823d89ca69defe%40%3Cnotifications.james.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rc3354080fc67fb50b45b3c2d12dc4ca2a3c1c78dad3d3ba012c038aa%40%3Cnotifications.james.apache.org%3E"},{"type":"ADVISORY","url":"https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c"},{"type":"ADVISORY","url":"https://jsoup.org/news/release-1.14.1"},{"type":"ADVISORY","url":"https://jsoup.org/news/release-1.14.2"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20220210-0022/"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujul2022.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jhy/jsoup","events":[{"introduced":"0"},{"fixed":"19c77325c9abb6f8b8b65034470e15faad6ce822"}],"database_specific":{"source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"fixed":"1.14.2"}],"cpe":"cpe:2.3:a:jsoup:jsoup:*:*:*:*:*:*:*:*"}}],"versions":["jsoup-1.14.1","jsoup-1.13.1","jsoup-1.12.2","1.12.2","jsoup-1.12.1","jsoup-1.11.3","jsoup-1.11.2","jsoup-1.11.1","jsoup-1.10.2","jsoup-1.10.1","jsoup-1.9.2","jsoup-1.9.1a","jsoup-1.9.1","jsoup-1.8.3a","jsoup-1.8.3","jsoup-1.8.2","jsoup-1.8.1.a","jsoup-1.7.3","jsoup-1.7.2","jsoup-1.7.1","jsoup-1.6.3","jsoup-1.6.2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-37714.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/quarkusio/quarkus","events":[{"introduced":"0"},{"last_affected":"4af9c47bce990bff7168ef1fa79f591db0e03d31"}],"database_specific":{"source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"last_affected":"2.2.3"}],"cpe":"cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*"}}],"versions":["2.2.3.Final"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-37714.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}