CVE-2022-36033 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2022-36033 Interim 1 18 2023-09-08T23:26:58Z current 2022-09-15T23:35:28Z 2023-09-08T23:26:58Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2022-36033 jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including `javascript:` URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default `SafeList.preserveRelativeLinks` option is enabled, HTML including `javascript:` URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable `SafeList.preserveRelativeLinks`, which will rewrite input URLs as absolute URLs - ensure an appropriate [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.suse.com/pipermail/sle-security-updates/2022-November/012977.html E-Mail link for SUSE-CU-2022:3027-1 https://lists.suse.com/pipermail/sle-security-updates/2022-November/012941.html E-Mail link for SUSE-SU-2022:4011-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings Container bci/openjdk-devel:11-36.63 Container bci/openjdk-devel:11-6.2 SUSE Enterprise Storage 7 SUSE Linux Enterprise Module for Development Tools 15 SP3 SUSE Linux Enterprise Module for Development Tools 15 SP3 SUSE Linux Enterprise Module for Development Tools 15 SP4 SUSE Linux Enterprise Module for Development Tools 15 SP5 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS SUSE Linux Enterprise Module for Development Tools 15 SP3 SUSE Linux Enterprise Module for Development Tools 15 SP4 SUSE Linux Enterprise Module for Development Tools 15 SP5 SUSE Linux Enterprise Server 15 SP2-LTSS SUSE Linux Enterprise Module for Development Tools 15 SP3 SUSE Linux Enterprise Module for Development Tools 15 SP4 SUSE Linux Enterprise Server 15 SP4-TERADATA SUSE Linux Enterprise Module for Development Tools 15 SP5 SUSE Linux Enterprise Server for SAP Applications 15 SP2 SUSE Linux Enterprise Module for Development Tools 15 SP3 SUSE Linux Enterprise Module for Development Tools 15 SP4 SUSE Linux Enterprise Module for Development Tools 15 SP5 SUSE Linux Enterprise Module for Development Tools 15 SP3 SUSE Linux Enterprise Module for Development Tools 15 SP4 SUSE Linux Enterprise Module for Development Tools 15 SP3 SUSE Linux Enterprise Module for Development Tools 15 SP4 SUSE Linux Enterprise Module for Development Tools 15 SP3 SUSE Linux Enterprise Module for Development Tools 15 SP4 openSUSE Leap 15.3 openSUSE Leap 15.4 openSUSE Tumbleweed jsoup jsoup-1.15.3-1.1 jsoup-1.15.3-150200.3.6.1 jsoup-javadoc-1.15.3-1.1 jsoup-javadoc-1.15.3-150200.3.6.1 jsoup-1.15.3-150200.3.6.1 as a component of Container bci/openjdk-devel:11-36.63 jsoup-1.15.3-150200.3.6.1 as a component of Container bci/openjdk-devel:11-6.2 jsoup-1.15.3-150200.3.6.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP3 jsoup-1.15.3-150200.3.6.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP4 jsoup-1.15.3-150200.3.6.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP5 jsoup-1.15.3-150200.3.6.1 as a component of SUSE Linux Enterprise Server 15 SP4-TERADATA jsoup-1.15.3-150200.3.6.1 as a component of openSUSE Leap 15.3 jsoup-javadoc-1.15.3-150200.3.6.1 as a component of openSUSE Leap 15.3 jsoup-1.15.3-150200.3.6.1 as a component of openSUSE Leap 15.4 jsoup-javadoc-1.15.3-150200.3.6.1 as a component of openSUSE Leap 15.4 jsoup-1.15.3-1.1 as a component of openSUSE Tumbleweed jsoup-javadoc-1.15.3-1.1 as a component of openSUSE Tumbleweed jsoup as a component of SUSE Enterprise Storage 7 jsoup as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS jsoup as a component of SUSE Linux Enterprise Server 15 SP2-LTSS jsoup as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including `javascript:` URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default `SafeList.preserveRelativeLinks` option is enabled, HTML including `javascript:` URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable `SafeList.preserveRelativeLinks`, which will rewrite input URLs as absolute URLs - ensure an appropriate [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.) CVE-2022-36033 Container bci/openjdk-devel:11-36.63:jsoup-1.15.3-150200.3.6.1 Container bci/openjdk-devel:11-6.2:jsoup-1.15.3-150200.3.6.1 SUSE Linux Enterprise Module for Development Tools 15 SP3:jsoup-1.15.3-150200.3.6.1 SUSE Linux Enterprise Module for Development Tools 15 SP4:jsoup-1.15.3-150200.3.6.1 SUSE Linux Enterprise Module for Development Tools 15 SP5:jsoup-1.15.3-150200.3.6.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SP5:jsoup-javadoc-1.15.3-150200.3.6.1 SUSE Linux Enterprise Server 15 SP4-TERADATA:jsoup-1.15.3-150200.3.6.1 openSUSE Leap 15.3:jsoup-1.15.3-150200.3.6.1 openSUSE Leap 15.3:jsoup-javadoc-1.15.3-150200.3.6.1 openSUSE Leap 15.4:jsoup-1.15.3-150200.3.6.1 openSUSE Leap 15.4:jsoup-javadoc-1.15.3-150200.3.6.1 openSUSE Tumbleweed:jsoup-1.15.3-1.1 openSUSE Tumbleweed:jsoup-javadoc-1.15.3-1.1 SUSE Enterprise Storage 7:jsoup SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:jsoup SUSE Linux Enterprise Server 15 SP2-LTSS:jsoup SUSE Linux Enterprise Server for SAP Applications 15 SP2:jsoup moderate 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N