[
https://issues.apache.org/jira/browse/MNG-7227?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17408265#comment-17408265
]
Frank Schwichtenberg commented on MNG-7227:
-------------------------------------------
The issue is, that each artifact containing maven (devel docker images etc)
will flag this as a high risk CVE by CVE scanners.
Updating to jsoup 1.14.2 or dropping it, will reduce significant pain for some
part of the maven community.
> Fix CVE-2021-37714 present in apache-maven
> ------------------------------------------
>
> Key: MNG-7227
> URL: https://issues.apache.org/jira/browse/MNG-7227
> Project: Maven
> Issue Type: Bug
> Components: Dependencies
> Affects Versions: 3.8.2
> Reporter: swapnil bharshankar
> Priority: Minor
>
> Following high severity CVE-2021-37714 present in apache maven.
> Description: jsoup is a Java library for working with HTML. Those using jsoup
> versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to
> DOS attacks. If the parser is run on user supplied input, an attacker may
> supply content that causes the parser to get stuck (loop indefinitely until
> cancelled), to complete more slowly than usual, or to throw an unexpected
> exception. This effect may support a denial of service attack. The issue is
> patched in version 1.14.2. There are a few available workarounds. Users may
> rate limit input parsing, limit the size of inputs based on system resources,
> and/or implement thread watchdogs to cap and timeout parse runtimes.
> Ref:
> * [https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c]
> * [https://nvd.nist.gov/vuln/detail/CVE-2021-37714]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
