CVE-2021-42575 – CVE-2021-42575 is a critical vulnerability in t... (How to Fix)

Q: What is the severity of CVE-2021-42575?

CVE-2021-42575 has a CVSS score of 9.8 (CRITICAL). CVE-2021-42575 is a critical vulnerability in the OWASP Java HTML Sanitizer that allows bypassing HTML sanitization policies for SELECT, STYLE, and OPTION elements. This enables cross-site scripting (XSS) attacks where malicious scripts can execute in users' browsers. Any Java application using vulnerable versions of this library for HTML sanitization is affected.

📋 TL;DR

CVE-2021-42575 is a critical vulnerability in the OWASP Java HTML Sanitizer that allows bypassing HTML sanitization policies for SELECT, STYLE, and OPTION elements. This enables cross-site scripting (XSS) attacks where malicious scripts can execute in users' browsers. Any Java application using vulnerable versions of this library for HTML sanitization is affected.

💻 Affected Systems

Products:

OWASP Java HTML Sanitizer
Any Java application using OWASP Java HTML Sanitizer

Versions: All versions before 20211018.1

Operating Systems: All operating systems running Java

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists when using the library's default or custom policies that involve SELECT, STYLE, or OPTION elements.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers can execute arbitrary JavaScript in victims' browsers, leading to session hijacking, credential theft, complete account takeover, and client-side attacks against application users.

🟠

Likely Case

Cross-site scripting attacks that steal session cookies, redirect users to malicious sites, or perform actions on behalf of authenticated users.

🟢

If Mitigated

With proper Content Security Policy headers and other defense-in-depth controls, impact is reduced to limited script execution within CSP constraints.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user interaction (visiting malicious page) but is straightforward for attackers with XSS knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 20211018.1 or later

Vendor Advisory: https://github.com/OWASP/java-html-sanitizer/releases/tag/v20211018.1

Restart Required: Yes

Instructions:

1. Update Maven/Gradle dependency to version 20211018.1 or later. 2. Rebuild and redeploy application. 3. Restart application servers.

🔧 Temporary Workarounds

Implement Content Security Policy

all

Add strict Content Security Policy headers to limit script execution sources

Content-Security-Policy: default-src 'self'; script-src 'self'

Input Validation Enhancement

all

Add additional input validation before HTML sanitization

🧯 If You Can't Patch

Implement WAF rules to block malicious HTML/JavaScript patterns
Isolate vulnerable applications behind reverse proxies with additional sanitization

🔍 How to Verify

Check if Vulnerable:

Check Maven pom.xml or Gradle build.gradle for OWASP Java HTML Sanitizer version < 20211018.1

Check Version:

grep -r "java-html-sanitizer" pom.xml build.gradle

Verify Fix Applied:

Verify library version is 20211018.1 or later in dependency files and deployed application

📡 Detection & Monitoring

Log Indicators:

Unusual HTML patterns with SELECT/STYLE/OPTION elements in user input
XSS attack patterns in web server logs

Network Indicators:

Malicious script injection attempts in HTTP requests
Unexpected external script loads

SIEM Query:

source="web_server" AND ("SELECT" OR "STYLE" OR "OPTION") AND ("script" OR "javascript" OR "onload")

📊 Metadata

CVE ID: CVE-2021-42575

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Published: October 18, 2021

Last Updated: November 21, 2024

🔗 References

https://docs.google.com/document/d/11SoX296sMS0XoQiQbpxc5pNxSdbJKDJkm5BDv0zrX50/ Exploit,Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html Patch,Third Party Advisory
https://docs.google.com/document/d/11SoX296sMS0XoQiQbpxc5pNxSdbJKDJkm5BDv0zrX50/ Exploit,Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Java Html Sanitizer by Owasp

Middleware Common Libraries And Tools by Oracle

Middleware Common Libraries And Tools by Oracle

Primavera Unifier by Oracle

Primavera Unifier by Oracle

Primavera Unifier by Oracle

Primavera Unifier by Oracle

Primavera Unifier by Oracle

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Implement Content Security Policy

Input Validation Enhancement

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export