CVE-2022-36033 is a medium-severity vulnerability affecting jsoup, a widely used Java HTML parser designed for HTML editing, cleaning, scraping, and mitigating cross-site scripting (XSS) risks. The vulnerability arises from improper sanitization of HTML content, specifically when the non-default option SafeList.preserveRelativeLinks is enabled. Under this configuration, jsoup fails to sanitize HTML containing 'javascript:' URL expressions crafted with control characters, allowing these potentially malicious URLs to persist in sanitized output. When such unsanitized HTML is rendered on a web page without an appropriate Content Security Policy (CSP), an attacker can exploit this flaw to execute XSS attacks. This means that if a user clicks on a malicious link embedded in the HTML, arbitrary JavaScript code could run in the context of the vulnerable website, potentially leading to session hijacking, credential theft, or other malicious actions. The vulnerability is addressed in jsoup version 1.15.3, where the sanitization logic has been corrected. Users are advised to upgrade to this version and to re-clean any previously sanitized content that may contain malicious payloads. As an immediate workaround, disabling the SafeList.preserveRelativeLinks option will force URLs to be rewritten as absolute URLs, mitigating the risk. Additionally, implementing a robust Content Security Policy is recommended as a defense-in-depth measure to restrict the execution of unauthorized scripts, regardless of the jsoup version in use. No known exploits are currently reported in the wild, but the vulnerability's nature and the widespread use of jsoup in Java-based web applications make it a significant concern for developers and organizations relying on this library.

For European organizations, the impact of CVE-2022-36033 can be substantial, especially for those operating web applications that utilize jsoup for HTML parsing and sanitization. Successful exploitation could lead to cross-site scripting attacks, compromising user data confidentiality and integrity by enabling attackers to steal session cookies, perform actions on behalf of users, or deliver malware. This can damage organizational reputation, lead to regulatory non-compliance (e.g., GDPR violations due to data breaches), and cause financial losses. The vulnerability primarily affects the availability of trust in web services rather than direct service disruption, but indirect impacts such as user lockout or defacement could occur. Organizations in sectors with high web interaction—such as e-commerce, finance, healthcare, and public services—are particularly at risk. The requirement for user interaction (clicking a malicious link) and the need for specific configuration (SafeList.preserveRelativeLinks enabled and lack of CSP) somewhat limit the attack surface but do not eliminate risk, especially in complex environments where legacy configurations persist. Furthermore, the persistence of unsanitized content means that even after patching, residual risks remain unless historical data is reprocessed.

1. Immediate Upgrade: Upgrade all jsoup instances to version 1.15.3 or later to apply the official patch that corrects the sanitization flaw. 2. Content Re-sanitization: Identify and reprocess any stored or cached HTML content sanitized with vulnerable jsoup versions and the problematic configuration to remove malicious payloads. 3. Configuration Hardening: Disable the SafeList.preserveRelativeLinks option unless absolutely necessary. If it must be enabled, enforce strict input validation and sanitization at multiple layers. 4. Implement Content Security Policy (CSP): Define and enforce a robust CSP that restricts script sources and disallows inline scripts or unsafe URL schemes like 'javascript:'. This reduces the impact of any residual XSS vulnerabilities. 5. Security Testing: Conduct thorough security assessments and penetration testing focusing on XSS vectors in web applications using jsoup, especially those with legacy configurations. 6. Monitoring and Incident Response: Monitor web application logs and user reports for suspicious activity indicative of XSS exploitation attempts. Prepare incident response plans to quickly address any detected exploitation. 7. Developer Awareness: Educate development teams about safe HTML parsing practices and the risks of enabling non-default jsoup options without understanding security implications.