What kind of vulnerability is it? Who is impacted? Those using jsoup to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack.
Has the problem been patched? What versions should users upgrade to? Users should upgrade to jsoup 1.14.2
Is there a way for users to fix or remediate the vulnerability without upgrading? Users may rate limit input parsing. Users should limit the size of inputs based on system resources. Users should implement thread watchdogs to cap and timeout parse runtimes.
{ "nvd_published_at": "2021-08-18T15:15:00Z", "cwe_ids": [ "CWE-248", "CWE-835" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2021-08-23T17:20:30Z" }