CVE-2021-23899 — Arbitrary code injection in json-sanitizer

Description

OWASP json-sanitizer before 1.2.2 may emit closing SCRIPT tags and CDATA section delimiters for crafted input. This allows an attacker to inject arbitrary HTML or XML into embedding documents.

How to fix CVE-2021-23899

To remediate CVE-2021-23899, upgrade the affected package to a fixed version below.

Maven/com.mikesamuel:json-sanitizer—upgrade to 1.2.2 or later

Is CVE-2021-23899 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.2.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-23899
WEBgithub.com/OWASP/json-sanitizer/commit/a37f594f7378a1c76b3283e0dab9e1ab1dc0247e
WEBgithub.com/OWASP/json-sanitizer/compare/v1.2.1...v1.2.2
WEBgroups.google.com/g/json-sanitizer-support/c/dAW1AeNMoA0