Denial of service in third-party component in Vaadin 7 and 8

Improper check for exceptional condition in a third party HTML handling library used in com.vaadin:vaadin-server versions 7.0.0 through 7.7.27 (Vaadin 7.0.0 through 7.7.27) and 8.0.0 through 8.13.3 (Vaadin 8.0.0 through Vaadin 8.13.3) allows network attackers to cause denial of service via unspecified vectors. See CWE-400: Uncontrolled Resource Consumption Description Improper check for exceptional condition was discovered in a third party HTML handling library org.jsoup:jsoup used as a transitive dependency in Vaadin 7 and 8 for sanitizing HTML. By crafting a invalid HTML input, an attacker could cause the server-side parsing logic to get stuck (loop indefinitely until cancelled) or to complete more slowly than usual. The vulnerability may impact service availability, but cannot not cause execution of untrusted code or disclosure of sensitive information. Affected products and mitigation Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include: Product version Mitigation Vaadin 7.0.0 - 7.7.27 Upgrade to 7.7.28 or newer 7 version (Vaadin 7 extended maintenance) Vaadin 8.0.0 - 8.13.3 Upgrade to 8.14.0 or newer 8 version Please note that updating to Vaadin 7 is only available to extended-support customers. Artifacts Maven coordinates Vulnerable version Fixed version com.vaadin:vaadin-server 7.0.0 - 7.7.27 ≥ 7.7.28 com.vaadin:vaadin-server 8.0.0 - 8.13.3 ≥ 8.14.0 References Vendor advisory: https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c Vendor advisory: https://vulners.com/cve/CVE-2021-37714 PR: https://github.com/vaadin/framework/pull/12381 PR: https://github.com/vaadin/framework/pull/12382