SCA: security update for org.jsoup:jsoup (GHSA-gp7f-rwcx-9369)

medium Tenable Self-Hosted Container Security Plugin ID 415223

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS)
safety. jsoup may incorrectly sanitize HTML including `javascript:` URL expressions, which could allow XSS
attacks when a reader subsequently clicks that link. If the non-default `SafeList.preserveRelativeLinks`
option is enabled, HTML including `javascript:` URLs that have been crafted with control characters will
not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an
XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version.
Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using
the updated version. To remediate this issue without immediately upgrading: - disable
`SafeList.preserveRelativeLinks`, which will rewrite input URLs as absolute URLs - ensure an appropriate
[Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) is defined. (This should
be used regardless of upgrading, as a defence-in-depth best practice.) (CVE-2022-36033)

See Also

https://github.com/advisories/GHSA-gp7f-rwcx-9369

Plugin Details

Severity: Medium

ID: 415223

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.3

Percentile: 53.37

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2022-36033

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/1/2022

Vulnerability Publication Date: 8/29/2022

Reference Information

CVE: CVE-2022-36033

cwe: CWE-79