swapnil bharshankar created MNG-7227:
----------------------------------------
Summary: Fix CVE-2021-37714 present in apache-maven
Key: MNG-7227
URL: https://issues.apache.org/jira/browse/MNG-7227
Project: Maven
Issue Type: Bug
Components: Dependencies
Affects Versions: 3.8.2
Reporter: swapnil bharshankar
Following high severity CVE-2021-37714 present in apache maven.
Description: jsoup is a Java library for working with HTML. Those using jsoup
versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to
DOS attacks. If the parser is run on user supplied input, an attacker may
supply content that causes the parser to get stuck (loop indefinitely until
cancelled), to complete more slowly than usual, or to throw an unexpected
exception. This effect may support a denial of service attack. The issue is
patched in version 1.14.2. There are a few available workarounds. Users may
rate limit input parsing, limit the size of inputs based on system resources,
and/or implement thread watchdogs to cap and timeout parse runtimes.
Ref:
* [https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c]
* [https://nvd.nist.gov/vuln/detail/CVE-2021-37714]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
