CVE-2022-36033 - Vulnerability Details

CVE-2022-36033 - jsoup may not sanitize Cross-Site Scripting (XSS) attempts if SafeList.preserveRelativeLinks is enabled

jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including `javascript:` URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default `SafeList.preserveRelativeLinks` option is enabled, HTML including `javascript:` URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable `SafeList.preserveRelativeLinks`, which will rewrite input URLs as absolute URLs - ensure an appropriate [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.)

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Jsoup	Jsoup
Netapp	Management Services For Element Software Management Services For Netapp Hci Oncommand Workflow Automation
Redhat	Jboss Enterprise Application Platform Migration Toolkit Runtimes

Configuration 1 [-]

cpe:2.3:a:jsoup:jsoup:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:a:netapp:management_services_for_element_software:-:::::::*
	cpe:2.3:a:netapp:management_services_for_netapp_hci:-:::::::*
	cpe:2.3:a:netapp:oncommand_workflow_automation:-:::::::*

Package	CPE	Advisory	Released Date
Migration Toolkit for Runtimes 1 on RHEL 8
mtr/mtr-operator-bundle:1.2-27	cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8	RHSA-2024:6656	2024-09-12T00:00:00Z
mtr/mtr-rhel8-operator:1.2-17	cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8	RHSA-2024:6656	2024-09-12T00:00:00Z
mtr/mtr-web-container-rhel8:1.2-19	cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8	RHSA-2024:6656	2024-09-12T00:00:00Z
mtr/mtr-web-executor-container-rhel8:1.2-17	cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8	RHSA-2024:6656	2024-09-12T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7
org.jsoup/jsoup	cpe:/a:redhat:jboss_enterprise_application_platform:7.4	RHSA-2024:8080	2024-10-14T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8
eap7-hal-console-0:3.3.24-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:8076	2024-10-14T00:00:00Z
eap7-hibernate-validator-0:6.0.23-2.SP1_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:8076	2024-10-14T00:00:00Z
eap7-insights-java-client-0:1.1.3-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:8076	2024-10-14T00:00:00Z
eap7-ironjacamar-0:1.5.18-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:8076	2024-10-14T00:00:00Z
eap7-jboss-cert-helper-0:1.1.3-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:8076	2024-10-14T00:00:00Z
eap7-jboss-ejb-client-0:4.0.55-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:8076	2024-10-14T00:00:00Z
eap7-jboss-server-migration-0:1.10.0-39.Final_redhat_00039.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:8076	2024-10-14T00:00:00Z
eap7-jbossws-cxf-0:5.4.12-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:8076	2024-10-14T00:00:00Z
eap7-jsoup-0:1.15.4-1.redhat_00003.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:8076	2024-10-14T00:00:00Z
eap7-undertow-jastow-0:2.0.15-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:8076	2024-10-14T00:00:00Z
eap7-wildfly-0:7.4.19-1.GA_redhat_00002.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:8076	2024-10-14T00:00:00Z
eap7-xalan-j2-0:2.7.1-37.redhat_00015.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:8076	2024-10-14T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9
eap7-hal-console-0:3.3.24-1.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:8077	2024-10-14T00:00:00Z
eap7-hibernate-validator-0:6.0.23-2.SP1_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:8077	2024-10-14T00:00:00Z
eap7-insights-java-client-0:1.1.3-1.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:8077	2024-10-14T00:00:00Z
eap7-ironjacamar-0:1.5.18-1.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:8077	2024-10-14T00:00:00Z
eap7-jboss-cert-helper-0:1.1.3-1.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:8077	2024-10-14T00:00:00Z
eap7-jboss-ejb-client-0:4.0.55-1.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:8077	2024-10-14T00:00:00Z
eap7-jboss-server-migration-0:1.10.0-39.Final_redhat_00039.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:8077	2024-10-14T00:00:00Z
eap7-jbossws-cxf-0:5.4.12-1.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:8077	2024-10-14T00:00:00Z
eap7-jsoup-0:1.15.4-1.redhat_00003.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:8077	2024-10-14T00:00:00Z
eap7-undertow-jastow-0:2.0.15-1.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:8077	2024-10-14T00:00:00Z
eap7-wildfly-0:7.4.19-1.GA_redhat_00002.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:8077	2024-10-14T00:00:00Z
eap7-xalan-j2-0:2.7.1-37.redhat_00015.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:8077	2024-10-14T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7
eap7-hal-console-0:3.3.24-1.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2024:8075	2024-10-14T00:00:00Z
eap7-hibernate-validator-0:6.0.23-2.SP1_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2024:8075	2024-10-14T00:00:00Z
eap7-insights-java-client-0:1.1.3-1.redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2024:8075	2024-10-14T00:00:00Z
eap7-ironjacamar-0:1.5.18-1.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2024:8075	2024-10-14T00:00:00Z
eap7-jboss-cert-helper-0:1.1.3-1.redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2024:8075	2024-10-14T00:00:00Z
eap7-jboss-ejb-client-0:4.0.55-1.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2024:8075	2024-10-14T00:00:00Z
eap7-jboss-server-migration-0:1.10.0-39.Final_redhat_00039.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2024:8075	2024-10-14T00:00:00Z
eap7-jbossws-cxf-0:5.4.12-1.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2024:8075	2024-10-14T00:00:00Z
eap7-jsoup-0:1.15.4-1.redhat_00003.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2024:8075	2024-10-14T00:00:00Z
eap7-undertow-jastow-0:2.0.15-1.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2024:8075	2024-10-14T00:00:00Z
eap7-wildfly-0:7.4.19-1.GA_redhat_00002.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2024:8075	2024-10-14T00:00:00Z
eap7-xalan-j2-0:2.7.1-37.redhat_00015.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2024:8075	2024-10-14T00:00:00Z

References

Link	Providers
https://github.com/jhy/jsoup/releases/tag/jsoup-1.15.3
https://github.com/jhy/jsoup/security/advisories/GHSA-gp7f-rwcx-9369
https://jsoup.org/news/release-1.15.3
https://nvd.nist.gov/vuln/detail/CVE-2022-36033
https://security.netapp.com/advisory/ntap-20221104-0006/
https://www.cve.org/CVERecord?id=CVE-2022-36033

History

Wed, 16 Oct 2024 02:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat jboss Enterprise Application Platform
CPEs		cpe:/a:redhat:jboss_enterprise_application_platform:7.4 cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9
Vendors & Products		Redhat jboss Enterprise Application Platform

Sat, 14 Sep 2024 02:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat Redhat migration Toolkit Runtimes
CPEs		cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8
Vendors & Products		Redhat Redhat migration Toolkit Runtimes

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-08-29T00:00:00

Updated: 2024-08-03T09:51:59.964Z

Reserved: 2022-07-15T00:00:00

Link: CVE-2022-36033

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-08-29T17:15:08.523

Modified: 2024-11-21T07:12:13.753

Link: CVE-2022-36033

Redhat

Severity : Moderate

Publid Date: 2022-08-29T00:00:00Z

Links: CVE-2022-36033 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-36033", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "dateUpdated": "2024-08-03T09:51:59.964Z", "dateReserved": "2022-07-15T00:00:00", "datePublished": "2022-08-29T00:00:00"}, "containers": {"cna": {"title": "jsoup may not sanitize Cross-Site Scripting (XSS) attempts if SafeList.preserveRelativeLinks is enabled", "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-11-04T00:00:00"}, "descriptions": [{"lang": "en", "value": "jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including `javascript:` URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default `SafeList.preserveRelativeLinks` option is enabled, HTML including `javascript:` URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable `SafeList.preserveRelativeLinks`, which will rewrite input URLs as absolute URLs - ensure an appropriate [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.)"}], "affected": [{"vendor": "jhy", "product": "jsoup", "versions": [{"version": "< 1.15.3", "status": "affected"}]}], "references": [{"url": "https://github.com/jhy/jsoup/security/advisories/GHSA-gp7f-rwcx-9369"}, {"url": "https://github.com/jhy/jsoup/releases/tag/jsoup-1.15.3"}, {"url": "https://jsoup.org/news/release-1.15.3"}, {"url": "https://security.netapp.com/advisory/ntap-20221104-0006/"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-87: Improper Neutralization of Alternate XSS Syntax", "cweId": "CWE-87"}]}, {"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79"}]}], "source": {"advisory": "GHSA-gp7f-rwcx-9369", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T09:51:59.964Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/jhy/jsoup/security/advisories/GHSA-gp7f-rwcx-9369", "tags": ["x_transferred"]}, {"url": "https://github.com/jhy/jsoup/releases/tag/jsoup-1.15.3", "tags": ["x_transferred"]}, {"url": "https://jsoup.org/news/release-1.15.3", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20221104-0006/", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jsoup:jsoup:*:*:*:*:*:*:*:*", "matchCriteriaId": "B8341769-FF52-45A1-B692-74C5E963BE4F", "versionEndExcluding": "1.15.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:management_services_for_element_software:-:*:*:*:*:*:*:*", "matchCriteriaId": "86B51137-28D9-41F2-AFA2-3CC22B4954D1", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:management_services_for_netapp_hci:-:*:*:*:*:*:*:*", "matchCriteriaId": "4455CF3A-CC91-4BE4-A7AB-929AC82E34F5", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*", "matchCriteriaId": "5735E553-9731-4AAC-BCFF-989377F817B3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including `javascript:` URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default `SafeList.preserveRelativeLinks` option is enabled, HTML including `javascript:` URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable `SafeList.preserveRelativeLinks`, which will rewrite input URLs as absolute URLs - ensure an appropriate [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.)"}, {"lang": "es", "value": "jsoup es un analizador HTML de Java, construido para la edici\u00f3n, limpieza y raspado de HTML, y para la seguridad de vulnerabilidades de tipo cross-site scripting (XSS). jsoup puede sanear incorrectamente el HTML que incluye expresiones URL \"javascript:\", lo que podr\u00eda permitir ataques de tipo XSS cuando un lector hace clic posteriormente en ese enlace. Si la opci\u00f3n no predeterminada \"SafeList.preserveRelativeLinks\" est\u00e1 habilitada, el HTML que incluya expresiones URL \"javascript:\" que hayan sido dise\u00f1adas con caracteres de control no ser\u00e1 saneado. Si el sitio en el que es publicado este HTML no establece una pol\u00edtica de seguridad de contenidos, es posible un ataque de tipo XSS. Este problema ha sido corregido en jsoup versi\u00f3n 1.15.3. Los usuarios deber\u00edan actualizar a esta versi\u00f3n. Adem\u00e1s, como es posible que la entrada no saneada haya sido mantenido, el contenido antiguo debe limpiarse de nuevo usando la versi\u00f3n actualizada. Para mitigar este problema sin tener que actualizar inmediatamente - deshabilite \"SafeList.preserveRelativeLinks\", que reescribir\u00e1 las URLs de entrada como URLs absolutas - aseg\u00farese de que es definido una [Pol\u00edtica de Seguridad de Contenidos](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) apropiada. (Esto deber\u00eda usarse independientemente de la actualizaci\u00f3n, como mejor pr\u00e1ctica de defensa en profundidad)"}], "id": "CVE-2022-36033", "lastModified": "2024-11-21T07:12:13.753", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-08-29T17:15:08.523", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/jhy/jsoup/releases/tag/jsoup-1.15.3"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/jhy/jsoup/security/advisories/GHSA-gp7f-rwcx-9369"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://jsoup.org/news/release-1.15.3"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20221104-0006/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/jhy/jsoup/releases/tag/jsoup-1.15.3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/jhy/jsoup/security/advisories/GHSA-gp7f-rwcx-9369"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://jsoup.org/news/release-1.15.3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20221104-0006/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-87"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:6656", "cpe": "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package": "mtr/mtr-operator-bundle:1.2-27", "product_name": "Migration Toolkit for Runtimes 1 on RHEL 8", "release_date": "2024-09-12T00:00:00Z"}, {"advisory": "RHSA-2024:6656", "cpe": "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package": "mtr/mtr-rhel8-operator:1.2-17", "product_name": "Migration Toolkit for Runtimes 1 on RHEL 8", "release_date": "2024-09-12T00:00:00Z"}, {"advisory": "RHSA-2024:6656", "cpe": "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package": "mtr/mtr-web-container-rhel8:1.2-19", "product_name": "Migration Toolkit for Runtimes 1 on RHEL 8", "release_date": "2024-09-12T00:00:00Z"}, {"advisory": "RHSA-2024:6656", "cpe": "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package": "mtr/mtr-web-executor-container-rhel8:1.2-17", "product_name": "Migration Toolkit for Runtimes 1 on RHEL 8", "release_date": "2024-09-12T00:00:00Z"}, {"advisory": "RHSA-2024:8080", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "package": "org.jsoup/jsoup", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8076", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-hal-console-0:3.3.24-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8076", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-hibernate-validator-0:6.0.23-2.SP1_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8076", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-insights-java-client-0:1.1.3-1.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8076", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-ironjacamar-0:1.5.18-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8076", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-jboss-cert-helper-0:1.1.3-1.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8076", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-jboss-ejb-client-0:4.0.55-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8076", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-jboss-server-migration-0:1.10.0-39.Final_redhat_00039.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8076", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-jbossws-cxf-0:5.4.12-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8076", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-jsoup-0:1.15.4-1.redhat_00003.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8076", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-undertow-jastow-0:2.0.15-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8076", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-wildfly-0:7.4.19-1.GA_redhat_00002.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8076", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-xalan-j2-0:2.7.1-37.redhat_00015.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8077", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-hal-console-0:3.3.24-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8077", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-hibernate-validator-0:6.0.23-2.SP1_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8077", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-insights-java-client-0:1.1.3-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8077", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-ironjacamar-0:1.5.18-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8077", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-jboss-cert-helper-0:1.1.3-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8077", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-jboss-ejb-client-0:4.0.55-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8077", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-jboss-server-migration-0:1.10.0-39.Final_redhat_00039.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8077", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-jbossws-cxf-0:5.4.12-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8077", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-jsoup-0:1.15.4-1.redhat_00003.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8077", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-undertow-jastow-0:2.0.15-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8077", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-wildfly-0:7.4.19-1.GA_redhat_00002.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8077", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-xalan-j2-0:2.7.1-37.redhat_00015.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8075", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-hal-console-0:3.3.24-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8075", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-hibernate-validator-0:6.0.23-2.SP1_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8075", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-insights-java-client-0:1.1.3-1.redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8075", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-ironjacamar-0:1.5.18-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8075", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-jboss-cert-helper-0:1.1.3-1.redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8075", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-jboss-ejb-client-0:4.0.55-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8075", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-jboss-server-migration-0:1.10.0-39.Final_redhat_00039.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8075", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-jbossws-cxf-0:5.4.12-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8075", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-jsoup-0:1.15.4-1.redhat_00003.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8075", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-undertow-jastow-0:2.0.15-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8075", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-wildfly-0:7.4.19-1.GA_redhat_00002.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8075", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-xalan-j2-0:2.7.1-37.redhat_00015.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2024-10-14T00:00:00Z"}], "bugzilla": {"description": "jsoup: The jsoup cleaner may incorrectly sanitize crafted XSS attempts if SafeList.preserveRelativeLinks is enabled", "id": "2127078", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2127078"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "status": "verified"}, "cwe": "(CWE-79|CWE-87)", "details": ["jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including `javascript:` URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default `SafeList.preserveRelativeLinks` option is enabled, HTML including `javascript:` URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable `SafeList.preserveRelativeLinks`, which will rewrite input URLs as absolute URLs - ensure an appropriate [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.)", "A flaw was found in jsoup, a Java HTML parser built for HTML editing, cleaning, scraping, and Cross-site scripting (XSS) safety. An issue in jsoup may incorrectly sanitize HTML, including `javascript:` URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default `SafeList.preserveRelativeLinks` option is enabled, HTML, including `javascript:` URLs crafted with control characters, will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is possible."], "name": "CVE-2022-36033", "package_state": [{"cpe": "cpe:/a:redhat:amq_clients:2023", "fix_state": "Not affected", "package_name": "org.jsoup/jsoup", "product_name": "AMQ Clients"}, {"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Will not fix", "package_name": "org.jsoup/jsoup", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:cryostat:3", "fix_state": "Not affected", "package_name": "org.jsoup/jsoup", "product_name": "Cryostat 3"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "org.jsoup/jsoup", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:migration_toolkit_applications:6", "fix_state": "Will not fix", "package_name": "org.jsoup/jsoup", "product_name": "Migration Toolkit for Applications 6"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Not affected", "package_name": "org.jsoup/jsoup", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Not affected", "package_name": "org.jsoup/jsoup", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:camel_quarkus:3", "fix_state": "Will not fix", "package_name": "org.jsoup/jsoup", "product_name": "Red Hat build of Apache Camel 4 for Quarkus 3"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:3", "fix_state": "Affected", "package_name": "org.jsoup/jsoup", "product_name": "Red Hat build of Apache Camel for Spring Boot 3"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Will not fix", "package_name": "org.jsoup/jsoup", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:rhboac_hawtio:4", "fix_state": "Not affected", "package_name": "org.jsoup/jsoup", "product_name": "Red Hat build of Apache Camel - HawtIO 4"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Affected", "package_name": "org.jsoup/jsoup", "product_name": "Red Hat build of Apicurio Registry 2"}, {"cpe": "cpe:/a:redhat:debezium:2", "fix_state": "Affected", "package_name": "org.jsoup/jsoup", "product_name": "Red Hat build of Debezium 2"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Not affected", "package_name": "org.jsoup/jsoup", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:optaplanner:::el6", "fix_state": "Affected", "package_name": "org.jsoup/jsoup", "product_name": "Red Hat build of OptaPlanner 8"}, {"cpe": "cpe:/a:redhat:quarkus:3", "fix_state": "Not affected", "package_name": "org.jsoup/jsoup", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:quarkus:3", "fix_state": "Affected", "package_name": "org.jsoup/jsoup", "product_name": "Red Hat build of Quarkus Native builder"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Not affected", "package_name": "org.jsoup/jsoup", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "jsoup", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "maven:3.6/jsoup", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "jsoup", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "package_name": "org.jsoup/jsoup", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Will not fix", "package_name": "org.jsoup/jsoup", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Will not fix", "package_name": "org.jsoup/jsoup", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "jsoup", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "org.jsoup/jsoup", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "org.jsoup/jsoup", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6", "fix_state": "Not affected", "package_name": "org.jsoup/jsoup", "product_name": "Red Hat JBoss Web Server 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Will not fix", "package_name": "org.jsoup/jsoup", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "jsoup", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Affected", "package_name": "org.jsoup/jsoup", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "rh-maven36-jsoup", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:amq_streams:1", "fix_state": "Affected", "package_name": "org.jsoup/jsoup", "product_name": "streams for Apache Kafka"}], "public_date": "2022-08-29T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-36033\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-36033"], "threat_severity": "Moderate"}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object