CVE-2021-21252

NameCVE-2021-21252
DescriptionThe jQuery Validation Plugin provides drop-in validation for your existing forms. It is published as an npm package "jquery-validation". jquery-validation before version 1.19.3 contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service). This is fixed in 1.19.3.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs980891, 980892

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
civicrm (PTS)bookworm, sid, bullseye5.33.2+dfsg1-1vulnerable
otrs2 (PTS)stretch/non-free (security), stretch/non-free5.0.16-1+deb9u6vulnerable
buster/non-free6.0.16-2vulnerable
bullseye/non-free6.0.32-6fixed
bookworm/non-free, sid/non-free6.0.36-2fixed
phpmyadmin (PTS)stretch4:4.6.6-4+deb9u1vulnerable
stretch (security)4:4.6.6-4+deb9u2vulnerable
bullseye4:5.0.4+dfsg2-2fixed
bookworm, sid4:5.1.1+dfsg1-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
civicrmsource(unstable)(unfixed)980892
otrs2source(unstable)6.0.32-4980891
phpmyadminsource(unstable)4:5.0.4+dfsg2-2

Notes

[bullseye] - civicrm <no-dsa> (Minor issue)
[buster] - otrs2 <ignored> (Non-free not supported)
[stretch] - otrs2 <ignored> (Non-free not supported)
[stretch] - phpmyadmin <no-dsa> (Minor issue; barely an issue in the phpmyadmin package)
https://github.com/jquery-validation/jquery-validation/security/advisories/GHSA-jxwx-85vp-gvwm
not packaged, but civicrm, otrs2, and phpmyadmin embed a copy
https://github.com/phpmyadmin/phpmyadmin/commit/401eedd288c4e83d69287b97a9f574f231156171

Search for package or bug name: Reporting problems