CVE-2022-31147 — Regex Denial of Service in Jquery Validation

CWE-1333 — Regex Denial of Service6 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.3%

top 44.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jqueryvalidation Jquery Validation Jquery-validation Debian Node-jquery-validation

Timeline

PublishedJul 14

Latest updateJan 15

Description

The jQuery Validation Plugin (jquery-validation) provides drop-in validation for forms. Versions of jquery-validation prior to 1.19.5 are vulnerable to regular expression denial of service (ReDoS) when an attacker is able to supply arbitrary input to the url2 method. This is due to an incomplete fix for CVE-2021-43306. Users should upgrade to version 1.19.5 to receive a patch.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDjqueryvalidation/jquery_validation< 1.19.5

▶npmjquery-validation/jquery-validation< 1.19.5

▶debiandebian/node-jquery-validation

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2022-31147: The jQuery Validation Plugin (jquery-validation) provides drop-in validation for forms↗2022-07-14

▶

OSV

jquery-validation Regular Expression Denial of Service due to arbitrary input to url2 method↗2022-07-05

▶

GHSA

jquery-validation Regular Expression Denial of Service due to arbitrary input to url2 method↗2022-07-05

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Applications Risk Matrix: Billing Care (jQuery) — CVE-2022-31147↗2024-01-15

▶

Debian

CVE-2022-31147: node-jquery-validation - The jQuery Validation Plugin (jquery-validation) provides drop-in validation for...↗2022

▶