Bug 1203459 - (CVE-2022-36033) VUL-0: CVE-2022-36033: jsoup: flawed sanitization of XSS attempts if SafeList.preserveRelativeLinks is enabled
VUL-0: CVE-2022-36033: jsoup: flawed sanitization of XSS attempts if SafeList...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Fridrich Strba
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2022-09-15 13:17 UTC by Carlos López
Modified: 2022-11-16 14:24 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2022-09-15 13:17:53 UTC

jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and
cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including
`javascript:` URL expressions, which could allow XSS attacks when a reader
subsequently clicks that link. If the non-default
`SafeList.preserveRelativeLinks` option is enabled, HTML including `javascript:`
URLs that have been crafted with control characters will not be sanitized. If
the site that this HTML is published on does not set a Content Security Policy,
an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users
should upgrade to this version. Additionally, as the unsanitized input may have
been persisted, old content should be cleaned again using the updated version.
To remediate this issue without immediately upgrading: - disable
`SafeList.preserveRelativeLinks`, which will rewrite input URLs as absolute URLs
- ensure an appropriate [Content Security
Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) is defined. (This
should be used regardless of upgrading, as a defence-in-depth best practice.)

Comment 1 Carlos López 2022-09-15 13:25:47 UTC
The fix seems to be this one:

If so, the following are affected:
- SUSE:SLE-15-SP2:Update
- openSUSE:Factory
Comment 3 OBSbugzilla Bot 2022-10-17 08:35:02 UTC
This is an autogenerated message for OBS integration:
This bug (1203459) was mentioned in
https://build.opensuse.org/request/show/1012018 Factory / jsoup
Comment 5 Swamp Workflow Management 2022-11-16 14:24:55 UTC
SUSE-SU-2022:4011-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1203459
CVE References: CVE-2022-36033
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    jsoup-1.15.3-150200.3.6.1
openSUSE Leap 15.3 (src):    jsoup-1.15.3-150200.3.6.1
SUSE Linux Enterprise Module for Development Tools 15-SP4 (src):    jsoup-1.15.3-150200.3.6.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    jsoup-1.15.3-150200.3.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.