Closed malikarsllan closed 3 years ago
mangstadt
commented
3 years ago Thanks for posting. I received an automated pull request about this yesterday.
The next time you contribute information like this to an open source project, please site your sources.
oliver-speck
commented
2 years ago Hi, when can we expect a new ez-vcard release including the now bumped jsoup version? Thanks in advance.
mangstadt
commented
2 years ago Sometime soon, probably.
jsoup is only used to read/write jCards (JSON-encoded vCards). If you are not using jCards in your application, then you will not be affected by this vulnerability.
mangstadt
commented
2 years ago There was a mistake in my previous post: jsoup is used to read hCards (HTML-encoded vCards). It has nothing to do with jCards.
A new version of ez-vcard has just been published (0.11.3). It should appear on Maven Center within a few hours.
ez-vcard is using the jsoup:1.13.1 and recently a high vulnerability is discovered in this version. The solution could be to use the later version of the library (e.g. 1.14.2). Following is more information about the vulnerability:
jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.
https://nvd.nist.gov/vuln/detail/CVE-2021-37714