CVE-2021-21252

NameCVE-2021-21252
DescriptionThe jQuery Validation Plugin provides drop-in validation for your existing forms. It is published as an npm package "jquery-validation". jquery-validation before version 1.19.3 contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service). This is fixed in 1.19.3.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3551-1
Debian Bugs980891, 980892

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
civicrm (PTS)bullseye5.33.2+dfsg1-1vulnerable
sid5.68.1+dfsg1-1fixed
otrs2 (PTS)bullseye/non-free6.0.32-6fixed
phpmyadmin (PTS)bullseye4:5.0.4+dfsg2-2+deb11u1fixed
bookworm4:5.2.1+dfsg-1fixed
sid, trixie4:5.2.2-really5.2.2+20241130+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
civicrmsource(unstable)5.50.1+dfsg1-1980892
otrs2sourcebuster6.0.16-2+deb10u1DLA-3551-1
otrs2source(unstable)6.0.32-4980891
phpmyadminsource(unstable)4:5.0.4+dfsg2-2

Notes

[bullseye] - civicrm <no-dsa> (Minor issue)
[stretch] - otrs2 <ignored> (Non-free not supported)
[stretch] - phpmyadmin <no-dsa> (Minor issue; barely an issue in the phpmyadmin package)
https://github.com/jquery-validation/jquery-validation/security/advisories/GHSA-jxwx-85vp-gvwm
not packaged, but civicrm, otrs2, and phpmyadmin embed a copy
https://github.com/phpmyadmin/phpmyadmin/commit/401eedd288c4e83d69287b97a9f574f231156171

Search for package or bug name: Reporting problems