mangstadt / ez-vcard

A vCard parser library for Java
Other
405 stars 93 forks source link

Vulnerability (CVE-2021-37714) in jsoup 1.13.1 #118

Closed malikarsllan closed 3 years ago

malikarsllan commented 3 years ago

ez-vcard is using the jsoup:1.13.1 and recently a high vulnerability is discovered in this version. The solution could be to use the later version of the library (e.g. 1.14.2). Following is more information about the vulnerability:

jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.

https://nvd.nist.gov/vuln/detail/CVE-2021-37714

mangstadt commented 3 years ago

Thanks for posting. I received an automated pull request about this yesterday.

The next time you contribute information like this to an open source project, please site your sources.

oliver-speck commented 3 years ago

Hi, when can we expect a new ez-vcard release including the now bumped jsoup version? Thanks in advance.

mangstadt commented 3 years ago

Sometime soon, probably.

jsoup is only used to read/write jCards (JSON-encoded vCards). If you are not using jCards in your application, then you will not be affected by this vulnerability.

mangstadt commented 3 years ago

There was a mistake in my previous post: jsoup is used to read hCards (HTML-encoded vCards). It has nothing to do with jCards.

A new version of ez-vcard has just been published (0.11.3). It should appear on Maven Center within a few hours.