Our Java JVM Fuzzer Jazzer has found more than 19 Bugs (CVE-2021-37714) in the open-source library of jsoup. Eight of them might have a critical impact on the availability of web applications using jsoup. Users should update to jsoup 1.14.2 quickly, to avoid downtime!
Click to read the full bug report.
Jsoup is a popular Java library designed to parse, extract, and manipulate data stored in HTML documents. In addition, it can also be used to parse and build XML documents.
Applications that use jsoup to parse untrusted HTML or XML may be vulnerable to Denial of Service attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception.
Example Stack Overflow (see Gist)
My team and I used our coverage-guided, in-process fuzzer for the JVM (Jazzer), to fuzz the application. Jazzer is extremely useful to find bugs in fuzz targets that parse complex and nested structures such as HTML, XML or JSON.
Developers from Code Intelligence, integrated jsoup into the OSS-Fuzz platform which made continuous fuzzing of jsoup possible. More than 165 Bugs were already found due to the integration of Jazzer into OSS-Fuzz.
FuzzCon Europe 2021 is a developer conference that is all about fuzzing and automated security testing. We connect developers and security experts from industry and research.
Let's join forces to make software more reliable and secure!
Tickets are now available at www.fuzzcon.eu