Bug 1203459 – VUL-0: CVE-2022-36033: jsoup: flawed sanitization of XSS attempts if SafeList.preserveRelativeLinks is enabled

Bug 1203459 - (CVE-2022-36033) VUL-0: CVE-2022-36033: jsoup: flawed sanitization of XSS attempts if SafeList.preserveRelativeLinks is enabled

(CVE-2022-36033)
Summary:	VUL-0: CVE-2022-36033: jsoup: flawed sanitization of XSS attempts if SafeList...

Status:	NEW

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Fridrich Strba
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/341064/
Whiteboard:	CVSSv3.1:SUSE:CVE-2022-36033:6.1:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2022-09-15 13:17 UTC by Carlos López
Modified:	2022-11-16 14:24 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Carlos López 2022-09-15 13:17:53 UTC

rh#2127078

jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and
cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including
`javascript:` URL expressions, which could allow XSS attacks when a reader
subsequently clicks that link. If the non-default
`SafeList.preserveRelativeLinks` option is enabled, HTML including `javascript:`
URLs that have been crafted with control characters will not be sanitized. If
the site that this HTML is published on does not set a Content Security Policy,
an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users
should upgrade to this version. Additionally, as the unsanitized input may have
been persisted, old content should be cleaned again using the updated version.
To remediate this issue without immediately upgrading: - disable
`SafeList.preserveRelativeLinks`, which will rewrite input URLs as absolute URLs
- ensure an appropriate [Content Security
Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) is defined. (This
should be used regardless of upgrading, as a defence-in-depth best practice.)

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2127078
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36033
https://www.cve.org/CVERecord?id=CVE-2022-36033
https://github.com/jhy/jsoup/security/advisories/GHSA-gp7f-rwcx-9369
https://github.com/jhy/jsoup/releases/tag/jsoup-1.15.3
https://jsoup.org/news/release-1.15.3

Comment 1 Carlos López 2022-09-15 13:25:47 UTC

The fix seems to be this one:
https://github.com/jhy/jsoup/commit/4ea768d96b3d232e63edef9594766d44597b3882

If so, the following are affected:
- SUSE:SLE-15-SP2:Update
- openSUSE:Factory

Comment 3 OBSbugzilla Bot 2022-10-17 08:35:02 UTC

This is an autogenerated message for OBS integration:
This bug (1203459) was mentioned in
https://build.opensuse.org/request/show/1012018 Factory / jsoup

Comment 5 Swamp Workflow Management 2022-11-16 14:24:55 UTC

SUSE-SU-2022:4011-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1203459
CVE References: CVE-2022-36033
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    jsoup-1.15.3-150200.3.6.1
openSUSE Leap 15.3 (src):    jsoup-1.15.3-150200.3.6.1
SUSE Linux Enterprise Module for Development Tools 15-SP4 (src):    jsoup-1.15.3-150200.3.6.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    jsoup-1.15.3-150200.3.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.