Vulnerability-Lookup

RHSA-2024_6656

Vulnerability from csaf_redhat - Published: 2024-09-12 15:45 - Updated: 2024-12-13 15:59

Summary

Red Hat Security Advisory: Migration Toolkit for Runtimes security, bug fix and enhancement update

Severity

Moderate

Notes

Topic: Migration Toolkit for Runtimes 1.2.7 release Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details: Migration Toolkit for Runtimes 1.2.7 Images Security Fix(es): * org.jsoup/jsoup: The jsoup cleaner may incorrectly sanitize crafted XSS attempts if SafeList.preserveRelativeLinks is enabled (CVE-2022-36033) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2022-36033

A flaw was found in jsoup, a Java HTML parser built for HTML editing, cleaning, scraping, and Cross-site scripting (XSS) safety. An issue in jsoup may incorrectly sanitize HTML, including `javascript:` URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default `SafeList.preserveRelativeLinks` option is enabled, HTML, including `javascript:` URLs crafted with control characters, will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is possible.

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE-87 - Improper Neutralization of Alternate XSS Syntax

Affected products

Fixed 15 products

Product	Version	Remediation
Unresolved product id: 8Base-MTR-1:mtr/mtr-operator-bundle@sha256:190a6fa2a6a9b6b182cdf9cab18814d05c203b54ca18dc533e553fa5dcca779e_amd64	—	Vendor Fix fix
Unresolved product id: 8Base-MTR-1:mtr/mtr-operator-bundle@sha256:75ebbef1804fbcb83ee23b2e65ea2a70612ecc6d4db5185274944c9651cedbfd_arm64	—	Vendor Fix fix
Unresolved product id: 8Base-MTR-1:mtr/mtr-operator-bundle@sha256:d21a3b40cd89103a1d280ea8d91f17b55d0ab31c340510989c296d9d6b207a63_ppc64le	—	Vendor Fix fix
Unresolved product id: 8Base-MTR-1:mtr/mtr-operator-bundle@sha256:d3049bd81b789e1e6139f65482f2a561e2f3951ff23a2053fe3aea1c920171c1_s390x	—	Vendor Fix fix
Unresolved product id: 8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:1ea56096b9b1101e226f1f9bf08a04f7c9a34e926004ad385db47c0ea6de1e73_arm64	—	Vendor Fix fix
Unresolved product id: 8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:6d9f1cd11c62b093d0998ada19d570d2dc2aa81548e6bacb9b1a141d58d53c0c_ppc64le	—	Vendor Fix fix
Unresolved product id: 8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:7d50eab932d763330b1ce37d36842598f110884c1af798e1f2f5629c5d223e52_amd64	—	Vendor Fix fix
Unresolved product id: 8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:dffa2b0c8da17f275ddbb7c93d298fa863e223c9135838b5cf305ae09a1b99c1_s390x	—	Vendor Fix fix
Unresolved product id: 8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:0a0662d4d8215057624af15121f03206d13665df318ca1075a5fe605b49d8ead_ppc64le	—	Vendor Fix fix
Unresolved product id: 8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:0fba106644240713f8ebbad92089b4e63a8030ecb4671ab12cd21cdd47d10459_s390x	—	Vendor Fix fix
Unresolved product id: 8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:487d22a14ff07e7fb2c1c16e054481bbd5e59b3de9dabb871c75885f7b9e3801_amd64	—	Vendor Fix fix
Unresolved product id: 8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:607c54e52652334be36ef3b10745df01c42dc9f95787ca3e9e472a10d3982cf3_arm64	—	Vendor Fix fix
Unresolved product id: 8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:61cc20767de585645674ba9754872e2a8195a17d2a2406c2465621fcf9750bda_ppc64le	—	Vendor Fix fix
Unresolved product id: 8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:a7e78424a9f361181f5d07f17ace0659be0d2f1156cf3457836a94a116e75839_s390x	—	Vendor Fix fix
Unresolved product id: 8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:df22ed74f2ef56af2192da45fa02e1e4ab76e2106b4b42740a1160df06b9d259_amd64	—	Vendor Fix fix

Threats

Impact Moderate

References

8 references

URL	Category
https://access.redhat.com/errata/RHSA-2024:6656	self
https://access.redhat.com/security/updates/classi…	external
https://issues.redhat.com/browse/WINDUPRULE-1050	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2022-36033	self
https://bugzilla.redhat.com/show_bug.cgi?id=2127078	external
https://www.cve.org/CVERecord?id=CVE-2022-36033	external
https://nvd.nist.gov/vuln/detail/CVE-2022-36033	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Migration Toolkit for Runtimes 1.2.7 release\nRed Hat Product Security has rated this update as having a security impact of Moderate.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Migration Toolkit for Runtimes 1.2.7 Images\n\nSecurity Fix(es):\n\n* org.jsoup/jsoup: The jsoup cleaner may incorrectly sanitize crafted XSS attempts if SafeList.preserveRelativeLinks is enabled (CVE-2022-36033)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2024:6656",
        "url": "https://access.redhat.com/errata/RHSA-2024:6656"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "WINDUPRULE-1050",
        "url": "https://issues.redhat.com/browse/WINDUPRULE-1050"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_6656.json"
      }
    ],
    "title": "Red Hat Security Advisory: Migration Toolkit for Runtimes security, bug fix and enhancement update",
    "tracking": {
      "current_release_date": "2024-12-13T15:59:01+00:00",
      "generator": {
        "date": "2024-12-13T15:59:01+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.3"
        }
      },
      "id": "RHSA-2024:6656",
      "initial_release_date": "2024-09-12T15:45:34+00:00",
      "revision_history": [
        {
          "date": "2024-09-12T15:45:34+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2024-09-12T15:45:34+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-12-13T15:59:01+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Migration Toolkit for Runtimes 1 on RHEL 8",
                "product": {
                  "name": "Migration Toolkit for Runtimes 1 on RHEL 8",
                  "product_id": "8Base-MTR-1",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Migration Toolkit for Runtimes"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "mtr/mtr-operator-bundle@sha256:190a6fa2a6a9b6b182cdf9cab18814d05c203b54ca18dc533e553fa5dcca779e_amd64",
                "product": {
                  "name": "mtr/mtr-operator-bundle@sha256:190a6fa2a6a9b6b182cdf9cab18814d05c203b54ca18dc533e553fa5dcca779e_amd64",
                  "product_id": "mtr/mtr-operator-bundle@sha256:190a6fa2a6a9b6b182cdf9cab18814d05c203b54ca18dc533e553fa5dcca779e_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/mtr-operator-bundle@sha256:190a6fa2a6a9b6b182cdf9cab18814d05c203b54ca18dc533e553fa5dcca779e?arch=amd64\u0026repository_url=registry.redhat.io/mtr/mtr-operator-bundle\u0026tag=1.2-27"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "mtr/mtr-rhel8-operator@sha256:7d50eab932d763330b1ce37d36842598f110884c1af798e1f2f5629c5d223e52_amd64",
                "product": {
                  "name": "mtr/mtr-rhel8-operator@sha256:7d50eab932d763330b1ce37d36842598f110884c1af798e1f2f5629c5d223e52_amd64",
                  "product_id": "mtr/mtr-rhel8-operator@sha256:7d50eab932d763330b1ce37d36842598f110884c1af798e1f2f5629c5d223e52_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/mtr-rhel8-operator@sha256:7d50eab932d763330b1ce37d36842598f110884c1af798e1f2f5629c5d223e52?arch=amd64\u0026repository_url=registry.redhat.io/mtr/mtr-rhel8-operator\u0026tag=1.2-17"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "mtr/mtr-web-container-rhel8@sha256:487d22a14ff07e7fb2c1c16e054481bbd5e59b3de9dabb871c75885f7b9e3801_amd64",
                "product": {
                  "name": "mtr/mtr-web-container-rhel8@sha256:487d22a14ff07e7fb2c1c16e054481bbd5e59b3de9dabb871c75885f7b9e3801_amd64",
                  "product_id": "mtr/mtr-web-container-rhel8@sha256:487d22a14ff07e7fb2c1c16e054481bbd5e59b3de9dabb871c75885f7b9e3801_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/mtr-web-container-rhel8@sha256:487d22a14ff07e7fb2c1c16e054481bbd5e59b3de9dabb871c75885f7b9e3801?arch=amd64\u0026repository_url=registry.redhat.io/mtr/mtr-web-container-rhel8\u0026tag=latest"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "mtr/mtr-web-executor-container-rhel8@sha256:df22ed74f2ef56af2192da45fa02e1e4ab76e2106b4b42740a1160df06b9d259_amd64",
                "product": {
                  "name": "mtr/mtr-web-executor-container-rhel8@sha256:df22ed74f2ef56af2192da45fa02e1e4ab76e2106b4b42740a1160df06b9d259_amd64",
                  "product_id": "mtr/mtr-web-executor-container-rhel8@sha256:df22ed74f2ef56af2192da45fa02e1e4ab76e2106b4b42740a1160df06b9d259_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/mtr-web-executor-container-rhel8@sha256:df22ed74f2ef56af2192da45fa02e1e4ab76e2106b4b42740a1160df06b9d259?arch=amd64\u0026repository_url=registry.redhat.io/mtr/mtr-web-executor-container-rhel8\u0026tag=latest"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "mtr/mtr-operator-bundle@sha256:75ebbef1804fbcb83ee23b2e65ea2a70612ecc6d4db5185274944c9651cedbfd_arm64",
                "product": {
                  "name": "mtr/mtr-operator-bundle@sha256:75ebbef1804fbcb83ee23b2e65ea2a70612ecc6d4db5185274944c9651cedbfd_arm64",
                  "product_id": "mtr/mtr-operator-bundle@sha256:75ebbef1804fbcb83ee23b2e65ea2a70612ecc6d4db5185274944c9651cedbfd_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/mtr-operator-bundle@sha256:75ebbef1804fbcb83ee23b2e65ea2a70612ecc6d4db5185274944c9651cedbfd?arch=arm64\u0026repository_url=registry.redhat.io/mtr/mtr-operator-bundle\u0026tag=1.2-27"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "mtr/mtr-rhel8-operator@sha256:1ea56096b9b1101e226f1f9bf08a04f7c9a34e926004ad385db47c0ea6de1e73_arm64",
                "product": {
                  "name": "mtr/mtr-rhel8-operator@sha256:1ea56096b9b1101e226f1f9bf08a04f7c9a34e926004ad385db47c0ea6de1e73_arm64",
                  "product_id": "mtr/mtr-rhel8-operator@sha256:1ea56096b9b1101e226f1f9bf08a04f7c9a34e926004ad385db47c0ea6de1e73_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/mtr-rhel8-operator@sha256:1ea56096b9b1101e226f1f9bf08a04f7c9a34e926004ad385db47c0ea6de1e73?arch=arm64\u0026repository_url=registry.redhat.io/mtr/mtr-rhel8-operator\u0026tag=1.2-17"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "mtr/mtr-web-executor-container-rhel8@sha256:607c54e52652334be36ef3b10745df01c42dc9f95787ca3e9e472a10d3982cf3_arm64",
                "product": {
                  "name": "mtr/mtr-web-executor-container-rhel8@sha256:607c54e52652334be36ef3b10745df01c42dc9f95787ca3e9e472a10d3982cf3_arm64",
                  "product_id": "mtr/mtr-web-executor-container-rhel8@sha256:607c54e52652334be36ef3b10745df01c42dc9f95787ca3e9e472a10d3982cf3_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/mtr-web-executor-container-rhel8@sha256:607c54e52652334be36ef3b10745df01c42dc9f95787ca3e9e472a10d3982cf3?arch=arm64\u0026repository_url=registry.redhat.io/mtr/mtr-web-executor-container-rhel8\u0026tag=latest"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "arm64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "mtr/mtr-operator-bundle@sha256:d21a3b40cd89103a1d280ea8d91f17b55d0ab31c340510989c296d9d6b207a63_ppc64le",
                "product": {
                  "name": "mtr/mtr-operator-bundle@sha256:d21a3b40cd89103a1d280ea8d91f17b55d0ab31c340510989c296d9d6b207a63_ppc64le",
                  "product_id": "mtr/mtr-operator-bundle@sha256:d21a3b40cd89103a1d280ea8d91f17b55d0ab31c340510989c296d9d6b207a63_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/mtr-operator-bundle@sha256:d21a3b40cd89103a1d280ea8d91f17b55d0ab31c340510989c296d9d6b207a63?arch=ppc64le\u0026repository_url=registry.redhat.io/mtr/mtr-operator-bundle\u0026tag=1.2-27"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "mtr/mtr-rhel8-operator@sha256:6d9f1cd11c62b093d0998ada19d570d2dc2aa81548e6bacb9b1a141d58d53c0c_ppc64le",
                "product": {
                  "name": "mtr/mtr-rhel8-operator@sha256:6d9f1cd11c62b093d0998ada19d570d2dc2aa81548e6bacb9b1a141d58d53c0c_ppc64le",
                  "product_id": "mtr/mtr-rhel8-operator@sha256:6d9f1cd11c62b093d0998ada19d570d2dc2aa81548e6bacb9b1a141d58d53c0c_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/mtr-rhel8-operator@sha256:6d9f1cd11c62b093d0998ada19d570d2dc2aa81548e6bacb9b1a141d58d53c0c?arch=ppc64le\u0026repository_url=registry.redhat.io/mtr/mtr-rhel8-operator\u0026tag=1.2-17"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "mtr/mtr-web-container-rhel8@sha256:0a0662d4d8215057624af15121f03206d13665df318ca1075a5fe605b49d8ead_ppc64le",
                "product": {
                  "name": "mtr/mtr-web-container-rhel8@sha256:0a0662d4d8215057624af15121f03206d13665df318ca1075a5fe605b49d8ead_ppc64le",
                  "product_id": "mtr/mtr-web-container-rhel8@sha256:0a0662d4d8215057624af15121f03206d13665df318ca1075a5fe605b49d8ead_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/mtr-web-container-rhel8@sha256:0a0662d4d8215057624af15121f03206d13665df318ca1075a5fe605b49d8ead?arch=ppc64le\u0026repository_url=registry.redhat.io/mtr/mtr-web-container-rhel8\u0026tag=latest"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "mtr/mtr-web-executor-container-rhel8@sha256:61cc20767de585645674ba9754872e2a8195a17d2a2406c2465621fcf9750bda_ppc64le",
                "product": {
                  "name": "mtr/mtr-web-executor-container-rhel8@sha256:61cc20767de585645674ba9754872e2a8195a17d2a2406c2465621fcf9750bda_ppc64le",
                  "product_id": "mtr/mtr-web-executor-container-rhel8@sha256:61cc20767de585645674ba9754872e2a8195a17d2a2406c2465621fcf9750bda_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/mtr-web-executor-container-rhel8@sha256:61cc20767de585645674ba9754872e2a8195a17d2a2406c2465621fcf9750bda?arch=ppc64le\u0026repository_url=registry.redhat.io/mtr/mtr-web-executor-container-rhel8\u0026tag=latest"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "mtr/mtr-operator-bundle@sha256:d3049bd81b789e1e6139f65482f2a561e2f3951ff23a2053fe3aea1c920171c1_s390x",
                "product": {
                  "name": "mtr/mtr-operator-bundle@sha256:d3049bd81b789e1e6139f65482f2a561e2f3951ff23a2053fe3aea1c920171c1_s390x",
                  "product_id": "mtr/mtr-operator-bundle@sha256:d3049bd81b789e1e6139f65482f2a561e2f3951ff23a2053fe3aea1c920171c1_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/mtr-operator-bundle@sha256:d3049bd81b789e1e6139f65482f2a561e2f3951ff23a2053fe3aea1c920171c1?arch=s390x\u0026repository_url=registry.redhat.io/mtr/mtr-operator-bundle\u0026tag=1.2-27"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "mtr/mtr-rhel8-operator@sha256:dffa2b0c8da17f275ddbb7c93d298fa863e223c9135838b5cf305ae09a1b99c1_s390x",
                "product": {
                  "name": "mtr/mtr-rhel8-operator@sha256:dffa2b0c8da17f275ddbb7c93d298fa863e223c9135838b5cf305ae09a1b99c1_s390x",
                  "product_id": "mtr/mtr-rhel8-operator@sha256:dffa2b0c8da17f275ddbb7c93d298fa863e223c9135838b5cf305ae09a1b99c1_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/mtr-rhel8-operator@sha256:dffa2b0c8da17f275ddbb7c93d298fa863e223c9135838b5cf305ae09a1b99c1?arch=s390x\u0026repository_url=registry.redhat.io/mtr/mtr-rhel8-operator\u0026tag=1.2-17"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "mtr/mtr-web-container-rhel8@sha256:0fba106644240713f8ebbad92089b4e63a8030ecb4671ab12cd21cdd47d10459_s390x",
                "product": {
                  "name": "mtr/mtr-web-container-rhel8@sha256:0fba106644240713f8ebbad92089b4e63a8030ecb4671ab12cd21cdd47d10459_s390x",
                  "product_id": "mtr/mtr-web-container-rhel8@sha256:0fba106644240713f8ebbad92089b4e63a8030ecb4671ab12cd21cdd47d10459_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/mtr-web-container-rhel8@sha256:0fba106644240713f8ebbad92089b4e63a8030ecb4671ab12cd21cdd47d10459?arch=s390x\u0026repository_url=registry.redhat.io/mtr/mtr-web-container-rhel8\u0026tag=latest"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "mtr/mtr-web-executor-container-rhel8@sha256:a7e78424a9f361181f5d07f17ace0659be0d2f1156cf3457836a94a116e75839_s390x",
                "product": {
                  "name": "mtr/mtr-web-executor-container-rhel8@sha256:a7e78424a9f361181f5d07f17ace0659be0d2f1156cf3457836a94a116e75839_s390x",
                  "product_id": "mtr/mtr-web-executor-container-rhel8@sha256:a7e78424a9f361181f5d07f17ace0659be0d2f1156cf3457836a94a116e75839_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/mtr-web-executor-container-rhel8@sha256:a7e78424a9f361181f5d07f17ace0659be0d2f1156cf3457836a94a116e75839?arch=s390x\u0026repository_url=registry.redhat.io/mtr/mtr-web-executor-container-rhel8\u0026tag=latest"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mtr/mtr-operator-bundle@sha256:190a6fa2a6a9b6b182cdf9cab18814d05c203b54ca18dc533e553fa5dcca779e_amd64 as a component of Migration Toolkit for Runtimes 1 on RHEL 8",
          "product_id": "8Base-MTR-1:mtr/mtr-operator-bundle@sha256:190a6fa2a6a9b6b182cdf9cab18814d05c203b54ca18dc533e553fa5dcca779e_amd64"
        },
        "product_reference": "mtr/mtr-operator-bundle@sha256:190a6fa2a6a9b6b182cdf9cab18814d05c203b54ca18dc533e553fa5dcca779e_amd64",
        "relates_to_product_reference": "8Base-MTR-1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mtr/mtr-operator-bundle@sha256:75ebbef1804fbcb83ee23b2e65ea2a70612ecc6d4db5185274944c9651cedbfd_arm64 as a component of Migration Toolkit for Runtimes 1 on RHEL 8",
          "product_id": "8Base-MTR-1:mtr/mtr-operator-bundle@sha256:75ebbef1804fbcb83ee23b2e65ea2a70612ecc6d4db5185274944c9651cedbfd_arm64"
        },
        "product_reference": "mtr/mtr-operator-bundle@sha256:75ebbef1804fbcb83ee23b2e65ea2a70612ecc6d4db5185274944c9651cedbfd_arm64",
        "relates_to_product_reference": "8Base-MTR-1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mtr/mtr-operator-bundle@sha256:d21a3b40cd89103a1d280ea8d91f17b55d0ab31c340510989c296d9d6b207a63_ppc64le as a component of Migration Toolkit for Runtimes 1 on RHEL 8",
          "product_id": "8Base-MTR-1:mtr/mtr-operator-bundle@sha256:d21a3b40cd89103a1d280ea8d91f17b55d0ab31c340510989c296d9d6b207a63_ppc64le"
        },
        "product_reference": "mtr/mtr-operator-bundle@sha256:d21a3b40cd89103a1d280ea8d91f17b55d0ab31c340510989c296d9d6b207a63_ppc64le",
        "relates_to_product_reference": "8Base-MTR-1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mtr/mtr-operator-bundle@sha256:d3049bd81b789e1e6139f65482f2a561e2f3951ff23a2053fe3aea1c920171c1_s390x as a component of Migration Toolkit for Runtimes 1 on RHEL 8",
          "product_id": "8Base-MTR-1:mtr/mtr-operator-bundle@sha256:d3049bd81b789e1e6139f65482f2a561e2f3951ff23a2053fe3aea1c920171c1_s390x"
        },
        "product_reference": "mtr/mtr-operator-bundle@sha256:d3049bd81b789e1e6139f65482f2a561e2f3951ff23a2053fe3aea1c920171c1_s390x",
        "relates_to_product_reference": "8Base-MTR-1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mtr/mtr-rhel8-operator@sha256:1ea56096b9b1101e226f1f9bf08a04f7c9a34e926004ad385db47c0ea6de1e73_arm64 as a component of Migration Toolkit for Runtimes 1 on RHEL 8",
          "product_id": "8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:1ea56096b9b1101e226f1f9bf08a04f7c9a34e926004ad385db47c0ea6de1e73_arm64"
        },
        "product_reference": "mtr/mtr-rhel8-operator@sha256:1ea56096b9b1101e226f1f9bf08a04f7c9a34e926004ad385db47c0ea6de1e73_arm64",
        "relates_to_product_reference": "8Base-MTR-1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mtr/mtr-rhel8-operator@sha256:6d9f1cd11c62b093d0998ada19d570d2dc2aa81548e6bacb9b1a141d58d53c0c_ppc64le as a component of Migration Toolkit for Runtimes 1 on RHEL 8",
          "product_id": "8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:6d9f1cd11c62b093d0998ada19d570d2dc2aa81548e6bacb9b1a141d58d53c0c_ppc64le"
        },
        "product_reference": "mtr/mtr-rhel8-operator@sha256:6d9f1cd11c62b093d0998ada19d570d2dc2aa81548e6bacb9b1a141d58d53c0c_ppc64le",
        "relates_to_product_reference": "8Base-MTR-1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mtr/mtr-rhel8-operator@sha256:7d50eab932d763330b1ce37d36842598f110884c1af798e1f2f5629c5d223e52_amd64 as a component of Migration Toolkit for Runtimes 1 on RHEL 8",
          "product_id": "8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:7d50eab932d763330b1ce37d36842598f110884c1af798e1f2f5629c5d223e52_amd64"
        },
        "product_reference": "mtr/mtr-rhel8-operator@sha256:7d50eab932d763330b1ce37d36842598f110884c1af798e1f2f5629c5d223e52_amd64",
        "relates_to_product_reference": "8Base-MTR-1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mtr/mtr-rhel8-operator@sha256:dffa2b0c8da17f275ddbb7c93d298fa863e223c9135838b5cf305ae09a1b99c1_s390x as a component of Migration Toolkit for Runtimes 1 on RHEL 8",
          "product_id": "8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:dffa2b0c8da17f275ddbb7c93d298fa863e223c9135838b5cf305ae09a1b99c1_s390x"
        },
        "product_reference": "mtr/mtr-rhel8-operator@sha256:dffa2b0c8da17f275ddbb7c93d298fa863e223c9135838b5cf305ae09a1b99c1_s390x",
        "relates_to_product_reference": "8Base-MTR-1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mtr/mtr-web-container-rhel8@sha256:0a0662d4d8215057624af15121f03206d13665df318ca1075a5fe605b49d8ead_ppc64le as a component of Migration Toolkit for Runtimes 1 on RHEL 8",
          "product_id": "8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:0a0662d4d8215057624af15121f03206d13665df318ca1075a5fe605b49d8ead_ppc64le"
        },
        "product_reference": "mtr/mtr-web-container-rhel8@sha256:0a0662d4d8215057624af15121f03206d13665df318ca1075a5fe605b49d8ead_ppc64le",
        "relates_to_product_reference": "8Base-MTR-1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mtr/mtr-web-container-rhel8@sha256:0fba106644240713f8ebbad92089b4e63a8030ecb4671ab12cd21cdd47d10459_s390x as a component of Migration Toolkit for Runtimes 1 on RHEL 8",
          "product_id": "8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:0fba106644240713f8ebbad92089b4e63a8030ecb4671ab12cd21cdd47d10459_s390x"
        },
        "product_reference": "mtr/mtr-web-container-rhel8@sha256:0fba106644240713f8ebbad92089b4e63a8030ecb4671ab12cd21cdd47d10459_s390x",
        "relates_to_product_reference": "8Base-MTR-1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mtr/mtr-web-container-rhel8@sha256:487d22a14ff07e7fb2c1c16e054481bbd5e59b3de9dabb871c75885f7b9e3801_amd64 as a component of Migration Toolkit for Runtimes 1 on RHEL 8",
          "product_id": "8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:487d22a14ff07e7fb2c1c16e054481bbd5e59b3de9dabb871c75885f7b9e3801_amd64"
        },
        "product_reference": "mtr/mtr-web-container-rhel8@sha256:487d22a14ff07e7fb2c1c16e054481bbd5e59b3de9dabb871c75885f7b9e3801_amd64",
        "relates_to_product_reference": "8Base-MTR-1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mtr/mtr-web-executor-container-rhel8@sha256:607c54e52652334be36ef3b10745df01c42dc9f95787ca3e9e472a10d3982cf3_arm64 as a component of Migration Toolkit for Runtimes 1 on RHEL 8",
          "product_id": "8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:607c54e52652334be36ef3b10745df01c42dc9f95787ca3e9e472a10d3982cf3_arm64"
        },
        "product_reference": "mtr/mtr-web-executor-container-rhel8@sha256:607c54e52652334be36ef3b10745df01c42dc9f95787ca3e9e472a10d3982cf3_arm64",
        "relates_to_product_reference": "8Base-MTR-1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mtr/mtr-web-executor-container-rhel8@sha256:61cc20767de585645674ba9754872e2a8195a17d2a2406c2465621fcf9750bda_ppc64le as a component of Migration Toolkit for Runtimes 1 on RHEL 8",
          "product_id": "8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:61cc20767de585645674ba9754872e2a8195a17d2a2406c2465621fcf9750bda_ppc64le"
        },
        "product_reference": "mtr/mtr-web-executor-container-rhel8@sha256:61cc20767de585645674ba9754872e2a8195a17d2a2406c2465621fcf9750bda_ppc64le",
        "relates_to_product_reference": "8Base-MTR-1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mtr/mtr-web-executor-container-rhel8@sha256:a7e78424a9f361181f5d07f17ace0659be0d2f1156cf3457836a94a116e75839_s390x as a component of Migration Toolkit for Runtimes 1 on RHEL 8",
          "product_id": "8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:a7e78424a9f361181f5d07f17ace0659be0d2f1156cf3457836a94a116e75839_s390x"
        },
        "product_reference": "mtr/mtr-web-executor-container-rhel8@sha256:a7e78424a9f361181f5d07f17ace0659be0d2f1156cf3457836a94a116e75839_s390x",
        "relates_to_product_reference": "8Base-MTR-1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mtr/mtr-web-executor-container-rhel8@sha256:df22ed74f2ef56af2192da45fa02e1e4ab76e2106b4b42740a1160df06b9d259_amd64 as a component of Migration Toolkit for Runtimes 1 on RHEL 8",
          "product_id": "8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:df22ed74f2ef56af2192da45fa02e1e4ab76e2106b4b42740a1160df06b9d259_amd64"
        },
        "product_reference": "mtr/mtr-web-executor-container-rhel8@sha256:df22ed74f2ef56af2192da45fa02e1e4ab76e2106b4b42740a1160df06b9d259_amd64",
        "relates_to_product_reference": "8Base-MTR-1"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-36033",
      "cwe": {
        "id": "CWE-87",
        "name": "Improper Neutralization of Alternate XSS Syntax"
      },
      "discovery_date": "2022-09-15T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2127078"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in jsoup, a Java HTML parser built for HTML editing, cleaning, scraping, and Cross-site scripting (XSS) safety. An issue in jsoup may incorrectly sanitize HTML, including `javascript:` URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default `SafeList.preserveRelativeLinks` option is enabled, HTML, including `javascript:` URLs crafted with control characters, will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is possible.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jsoup: The jsoup cleaner may incorrectly sanitize crafted XSS attempts if SafeList.preserveRelativeLinks is enabled",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-MTR-1:mtr/mtr-operator-bundle@sha256:190a6fa2a6a9b6b182cdf9cab18814d05c203b54ca18dc533e553fa5dcca779e_amd64",
          "8Base-MTR-1:mtr/mtr-operator-bundle@sha256:75ebbef1804fbcb83ee23b2e65ea2a70612ecc6d4db5185274944c9651cedbfd_arm64",
          "8Base-MTR-1:mtr/mtr-operator-bundle@sha256:d21a3b40cd89103a1d280ea8d91f17b55d0ab31c340510989c296d9d6b207a63_ppc64le",
          "8Base-MTR-1:mtr/mtr-operator-bundle@sha256:d3049bd81b789e1e6139f65482f2a561e2f3951ff23a2053fe3aea1c920171c1_s390x",
          "8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:1ea56096b9b1101e226f1f9bf08a04f7c9a34e926004ad385db47c0ea6de1e73_arm64",
          "8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:6d9f1cd11c62b093d0998ada19d570d2dc2aa81548e6bacb9b1a141d58d53c0c_ppc64le",
          "8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:7d50eab932d763330b1ce37d36842598f110884c1af798e1f2f5629c5d223e52_amd64",
          "8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:dffa2b0c8da17f275ddbb7c93d298fa863e223c9135838b5cf305ae09a1b99c1_s390x",
          "8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:0a0662d4d8215057624af15121f03206d13665df318ca1075a5fe605b49d8ead_ppc64le",
          "8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:0fba106644240713f8ebbad92089b4e63a8030ecb4671ab12cd21cdd47d10459_s390x",
          "8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:487d22a14ff07e7fb2c1c16e054481bbd5e59b3de9dabb871c75885f7b9e3801_amd64",
          "8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:607c54e52652334be36ef3b10745df01c42dc9f95787ca3e9e472a10d3982cf3_arm64",
          "8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:61cc20767de585645674ba9754872e2a8195a17d2a2406c2465621fcf9750bda_ppc64le",
          "8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:a7e78424a9f361181f5d07f17ace0659be0d2f1156cf3457836a94a116e75839_s390x",
          "8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:df22ed74f2ef56af2192da45fa02e1e4ab76e2106b4b42740a1160df06b9d259_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-36033"
        },
        {
          "category": "external",
          "summary": "RHBZ#2127078",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2127078"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-36033",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-36033"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-36033",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36033"
        }
      ],
      "release_date": "2022-08-29T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-09-12T15:45:34+00:00",
          "details": "Install the latest version of the Migration Toolkit for Runtimes from the Red Hat catalog in the OperatorHub page within your OpenShift instance.",
          "product_ids": [
            "8Base-MTR-1:mtr/mtr-operator-bundle@sha256:190a6fa2a6a9b6b182cdf9cab18814d05c203b54ca18dc533e553fa5dcca779e_amd64",
            "8Base-MTR-1:mtr/mtr-operator-bundle@sha256:75ebbef1804fbcb83ee23b2e65ea2a70612ecc6d4db5185274944c9651cedbfd_arm64",
            "8Base-MTR-1:mtr/mtr-operator-bundle@sha256:d21a3b40cd89103a1d280ea8d91f17b55d0ab31c340510989c296d9d6b207a63_ppc64le",
            "8Base-MTR-1:mtr/mtr-operator-bundle@sha256:d3049bd81b789e1e6139f65482f2a561e2f3951ff23a2053fe3aea1c920171c1_s390x",
            "8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:1ea56096b9b1101e226f1f9bf08a04f7c9a34e926004ad385db47c0ea6de1e73_arm64",
            "8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:6d9f1cd11c62b093d0998ada19d570d2dc2aa81548e6bacb9b1a141d58d53c0c_ppc64le",
            "8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:7d50eab932d763330b1ce37d36842598f110884c1af798e1f2f5629c5d223e52_amd64",
            "8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:dffa2b0c8da17f275ddbb7c93d298fa863e223c9135838b5cf305ae09a1b99c1_s390x",
            "8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:0a0662d4d8215057624af15121f03206d13665df318ca1075a5fe605b49d8ead_ppc64le",
            "8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:0fba106644240713f8ebbad92089b4e63a8030ecb4671ab12cd21cdd47d10459_s390x",
            "8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:487d22a14ff07e7fb2c1c16e054481bbd5e59b3de9dabb871c75885f7b9e3801_amd64",
            "8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:607c54e52652334be36ef3b10745df01c42dc9f95787ca3e9e472a10d3982cf3_arm64",
            "8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:61cc20767de585645674ba9754872e2a8195a17d2a2406c2465621fcf9750bda_ppc64le",
            "8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:a7e78424a9f361181f5d07f17ace0659be0d2f1156cf3457836a94a116e75839_s390x",
            "8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:df22ed74f2ef56af2192da45fa02e1e4ab76e2106b4b42740a1160df06b9d259_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:6656"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "8Base-MTR-1:mtr/mtr-operator-bundle@sha256:190a6fa2a6a9b6b182cdf9cab18814d05c203b54ca18dc533e553fa5dcca779e_amd64",
            "8Base-MTR-1:mtr/mtr-operator-bundle@sha256:75ebbef1804fbcb83ee23b2e65ea2a70612ecc6d4db5185274944c9651cedbfd_arm64",
            "8Base-MTR-1:mtr/mtr-operator-bundle@sha256:d21a3b40cd89103a1d280ea8d91f17b55d0ab31c340510989c296d9d6b207a63_ppc64le",
            "8Base-MTR-1:mtr/mtr-operator-bundle@sha256:d3049bd81b789e1e6139f65482f2a561e2f3951ff23a2053fe3aea1c920171c1_s390x",
            "8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:1ea56096b9b1101e226f1f9bf08a04f7c9a34e926004ad385db47c0ea6de1e73_arm64",
            "8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:6d9f1cd11c62b093d0998ada19d570d2dc2aa81548e6bacb9b1a141d58d53c0c_ppc64le",
            "8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:7d50eab932d763330b1ce37d36842598f110884c1af798e1f2f5629c5d223e52_amd64",
            "8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:dffa2b0c8da17f275ddbb7c93d298fa863e223c9135838b5cf305ae09a1b99c1_s390x",
            "8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:0a0662d4d8215057624af15121f03206d13665df318ca1075a5fe605b49d8ead_ppc64le",
            "8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:0fba106644240713f8ebbad92089b4e63a8030ecb4671ab12cd21cdd47d10459_s390x",
            "8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:487d22a14ff07e7fb2c1c16e054481bbd5e59b3de9dabb871c75885f7b9e3801_amd64",
            "8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:607c54e52652334be36ef3b10745df01c42dc9f95787ca3e9e472a10d3982cf3_arm64",
            "8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:61cc20767de585645674ba9754872e2a8195a17d2a2406c2465621fcf9750bda_ppc64le",
            "8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:a7e78424a9f361181f5d07f17ace0659be0d2f1156cf3457836a94a116e75839_s390x",
            "8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:df22ed74f2ef56af2192da45fa02e1e4ab76e2106b4b42740a1160df06b9d259_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jsoup: The jsoup cleaner may incorrectly sanitize crafted XSS attempts if SafeList.preserveRelativeLinks is enabled"
    }
  ]
}

CVE-2022-36033 (GCVE-0-2022-36033)

Vulnerability from cvelistv5 – Published: 2022-08-29 00:00 – Updated: 2025-04-22 17:41

Title

jsoup may not sanitize Cross-Site Scripting (XSS) attempts if SafeList.preserveRelativeLinks is enabled

Summary

jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including `javascript:` URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default `SafeList.preserveRelativeLinks` option is enabled, HTML including `javascript:` URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable `SafeList.preserveRelativeLinks`, which will rewrite input URLs as absolute URLs - ensure an appropriate [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.)

Severity ?

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-87 - Improper Neutralization of Alternate XSS Syntax
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

GitHub_M

References

4 references

URL	Tags
https://github.com/jhy/jsoup/security/advisories/…
https://github.com/jhy/jsoup/releases/tag/jsoup-1.15.3
https://jsoup.org/news/release-1.15.3
https://security.netapp.com/advisory/ntap-2022110…

Impacted products

1 product

Vendor	Product	Version
jhy	jsoup	Affected: < 1.15.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T09:51:59.964Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/jhy/jsoup/security/advisories/GHSA-gp7f-rwcx-9369"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/jhy/jsoup/releases/tag/jsoup-1.15.3"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://jsoup.org/news/release-1.15.3"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20221104-0006/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-36033",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-22T15:44:56.200275Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-22T17:41:13.666Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "jsoup",
          "vendor": "jhy",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.15.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including `javascript:` URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default `SafeList.preserveRelativeLinks` option is enabled, HTML including `javascript:` URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable `SafeList.preserveRelativeLinks`, which will rewrite input URLs as absolute URLs - ensure an appropriate [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.)"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-87",
              "description": "CWE-87: Improper Neutralization of Alternate XSS Syntax",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-11-04T00:00:00.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "url": "https://github.com/jhy/jsoup/security/advisories/GHSA-gp7f-rwcx-9369"
        },
        {
          "url": "https://github.com/jhy/jsoup/releases/tag/jsoup-1.15.3"
        },
        {
          "url": "https://jsoup.org/news/release-1.15.3"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20221104-0006/"
        }
      ],
      "source": {
        "advisory": "GHSA-gp7f-rwcx-9369",
        "discovery": "UNKNOWN"
      },
      "title": "jsoup may not sanitize Cross-Site Scripting (XSS) attempts if SafeList.preserveRelativeLinks is enabled"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-36033",
    "datePublished": "2022-08-29T00:00:00.000Z",
    "dateReserved": "2022-07-15T00:00:00.000Z",
    "dateUpdated": "2025-04-22T17:41:13.666Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2024_6656

CVE-2022-36033 (GCVE-0-2022-36033)

Tags

Sightings

Nomenclature