CVE-2022-36033: 
Java vulnerability analysis and mitigation

jsoup, a Java HTML parser built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety, was found to contain a security vulnerability (CVE-2022-36033) that was disclosed on August 24, 2022. The vulnerability affects versions prior to 1.15.3, where jsoup may incorrectly sanitize HTML including javascript: URL expressions when the non-default SafeList.preserveRelativeLinks option is enabled (GitHub Advisory).

The vulnerability exists in jsoup's Cleaner component, which is designed to sanitize input HTML against configurable safe-lists of acceptable tags, attributes, and attribute values. When SafeList.preserveRelativeLinks is enabled, an attacker can bypass URL protocol validation checks by embedding control characters into href attribute values. For example, 'java\tscript:...' would resolve to 'https://example.com/java\tscript:...'. While Java treats such paths as relative, browsers may normalize the control characters and evaluate it as a javascript: expression, leading to potential XSS attacks. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) (GitHub Advisory).

Successful exploitation of this vulnerability could lead to cross-site scripting (XSS) attacks on sites that accept input HTML from users and use jsoup to sanitize that HTML, if they have enabled SafeList.preserveRelativeLinks and do not set an appropriate Content Security Policy. This could result in unauthorized disclosure of sensitive information or modification of data (NetApp Security).

The vulnerability has been patched in jsoup version 1.15.3. Users should upgrade to this version and re-clean any previously sanitized content. Alternative workarounds include disabling SafeList.preserveRelativeLinks, which will rewrite input URLs as absolute URLs, and ensuring an appropriate Content Security Policy is defined as a defense-in-depth measure (GitHub Advisory, jsoup News).