[
https://issues.apache.org/jira/browse/MNG-7227?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Michael Osipov closed MNG-7227.
-------------------------------
Resolution: Won't Fix
> Fix CVE-2021-37714 present in apache-maven
> ------------------------------------------
>
> Key: MNG-7227
> URL: https://issues.apache.org/jira/browse/MNG-7227
> Project: Maven
> Issue Type: Bug
> Components: Dependencies
> Affects Versions: 3.8.2
> Reporter: swapnil bharshankar
> Priority: Minor
>
> Following high severity CVE-2021-37714 present in apache maven.
> Description: jsoup is a Java library for working with HTML. Those using jsoup
> versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to
> DOS attacks. If the parser is run on user supplied input, an attacker may
> supply content that causes the parser to get stuck (loop indefinitely until
> cancelled), to complete more slowly than usual, or to throw an unexpected
> exception. This effect may support a denial of service attack. The issue is
> patched in version 1.14.2. There are a few available workarounds. Users may
> rate limit input parsing, limit the size of inputs based on system resources,
> and/or implement thread watchdogs to cap and timeout parse runtimes.
> Ref:
> * [https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c]
> * [https://nvd.nist.gov/vuln/detail/CVE-2021-37714]
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
