CVE-2021-21252

NameCVE-2021-21252
DescriptionThe jQuery Validation Plugin provides drop-in validation for your existing forms. It is published as an npm package "jquery-validation". jquery-validation before version 1.19.3 contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service). This is fixed in 1.19.3.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3551-1
Debian Bugs980891, 980892

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
civicrm (PTS)bullseye5.33.2+dfsg1-1vulnerable
sid5.68.1+dfsg1-1fixed
otrs2 (PTS)jessie, jessie (lts)3.3.18-1+deb8u15vulnerable
stretch/non-free (security), stretch/non-free (lts), stretch/non-free5.0.16-1+deb9u6vulnerable
buster/non-free (security), buster/non-free6.0.16-2+deb10u1fixed
bullseye/non-free6.0.32-6fixed
phpmyadmin (PTS)jessie, jessie (lts)4:4.2.12-2+deb8u12vulnerable
stretch (security)4:4.6.6-4+deb9u2vulnerable
stretch (lts), stretch4:4.6.6-4+deb9u3vulnerable
bullseye4:5.0.4+dfsg2-2+deb11u1fixed
bookworm4:5.2.1+dfsg-1fixed
sid, trixie4:5.2.2-really5.2.2+20241130+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
civicrmsource(unstable)5.50.1+dfsg1-1980892
otrs2sourcejessie(unfixed)end-of-life
otrs2sourcebuster6.0.16-2+deb10u1DLA-3551-1
otrs2source(unstable)6.0.32-4980891
phpmyadminsource(unstable)4:5.0.4+dfsg2-2

Notes

[bullseye] - civicrm <no-dsa> (Minor issue)
[stretch] - otrs2 <ignored> (Non-free not supported)
[stretch] - phpmyadmin <no-dsa> (Minor issue; barely an issue in the phpmyadmin package)
https://github.com/jquery-validation/jquery-validation/security/advisories/GHSA-jxwx-85vp-gvwm
not packaged, but civicrm, otrs2, and phpmyadmin embed a copy
https://github.com/phpmyadmin/phpmyadmin/commit/401eedd288c4e83d69287b97a9f574f231156171
[jessie] - phpmyadmin <no-dsa> (Minor issue; barely an issue in the phpmyadmin package)

Search for package or bug name: Reporting problems