Denial of service in third-party component in Vaadin 7 and 8

Severity:

High (Base score 7.5) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Overview

Improper check for exceptional condition in a third party HTML handling library used in com.vaadin:vaadin-server versions 7.0.0 through 7.7.27 (Vaadin 7.0.0 through 7.7.27) and 8.0.0 through 8.13.3 (Vaadin 8.0.0 through Vaadin 8.13.3) allows network attackers to cause denial of service via unspecified vectors.

See CWE-400: Uncontrolled Resource Consumption

Description

Improper check for exceptional condition was discovered in a third party HTML handling library org.jsoup:jsoup used as a transitive dependency in Vaadin 7 and 8 for sanitizing HTML. By crafting a invalid HTML input, an attacker could cause the server-side parsing logic to get stuck (loop indefinitely until cancelled) or to complete more slowly than usual. The vulnerability may impact service availability, but cannot not cause execution of untrusted code or disclosure of sensitive information.

Affected products and mitigation

Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

Product version	Mitigation
Vaadin 7.0.0 - 7.7.27	Upgrade to 7.7.28 or newer 7 version (Vaadin 7 extended maintenance)
Vaadin 8.0.0 - 8.13.3	Upgrade to 8.14.0 or newer 8 version

Please note that updating to Vaadin 7 is only available to extended-support customers.

Artifacts

Maven coordinates	Vulnerable version	Fixed version
com.vaadin:vaadin-server	7.0.0 - 7.7.27	≥ 7.7.28
com.vaadin:vaadin-server	8.0.0 - 8.13.3	≥ 8.14.0

References

Vendor advisory: https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c
Vendor advisory: https://www.cve.org/CVERecord?id=CVE-2021-37714
PR: https://github.com/vaadin/framework/pull/12381
PR: https://github.com/vaadin/framework/pull/12382

History

2021-10-27: Initial vulnerability report published