Improper check for exceptional condition in a third party HTML handling library used in com.vaadin:vaadin-server versions 7.0.0 through 7.7.27 (Vaadin 7.0.0 through 7.7.27) and 8.0.0 through 8.13.3 (Vaadin 8.0.0 through Vaadin 8.13.3) allows network attackers to cause denial of service via unspecified vectors.
Improper check for exceptional condition was discovered in a third party HTML handling library org.jsoup:jsoup used as a transitive dependency in Vaadin 7 and 8 for sanitizing HTML. By crafting a invalid HTML input, an attacker could cause the server-side parsing logic to get stuck (loop indefinitely until cancelled) or to complete more slowly than usual. The vulnerability may impact service availability, but cannot not cause execution of untrusted code or disclosure of sensitive information.
Affected products and mitigation
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include: