プラットフォーム
dotnet
コンポーネント
jquery.validation
修正版
1.19.4
1.19.3
CVE-2021-21252 identifies a Denial of Service (DoS) vulnerability within the jQuery.Validation library. This vulnerability stems from the presence of regular expressions susceptible to ReDoS (Regular Expression Denial of Service) attacks, potentially causing significant service disruption. The vulnerability affects versions of jQuery.Validation up to and including 1.9.0.1, with a fix available in version 1.19.3.
A ReDoS attack exploits inefficient regular expressions, causing them to consume excessive CPU resources and potentially crash the application or server. In the context of jQuery.Validation, an attacker could craft malicious input that triggers these vulnerable regular expressions, leading to a denial of service for users relying on the library. The impact can range from temporary website unavailability to complete system outages, depending on the deployment and load. While the vulnerability itself doesn't directly expose sensitive data, the resulting DoS can be used as a distraction for other malicious activities.
This vulnerability was discovered and reported by GitHub team member @erik-krogh. While no active exploitation campaigns have been publicly reported as of the last update, ReDoS vulnerabilities are generally considered exploitable and can be easily triggered. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept exploits are available, demonstrating the ease of triggering ReDoS attacks against vulnerable versions of jQuery.Validation.
Web applications and websites that utilize jQuery.Validation versions prior to 1.19.3 are at risk. This includes applications built on .NET frameworks that incorporate jQuery.Validation for form validation. Shared hosting environments where multiple applications share the same jQuery.Validation library are particularly vulnerable, as a compromise of one application could affect others.
• .NET / web: Monitor application logs for excessive CPU usage or crashes related to regular expression processing. Use performance monitoring tools to identify slow or unresponsive regular expression calls.
Get-Process | Where-Object {$_.CPU -gt 100} | Select-Object Name, CPU• .NET / web: Inspect the jQuery.Validation source code for regular expressions that match known ReDoS patterns. Use static analysis tools to identify potential vulnerabilities. • generic web: Examine web server access logs for unusual patterns of requests that might indicate an attacker attempting to trigger ReDoS.
disclosure
エクスプロイト状況
EPSS
0.70% (72% パーセンタイル)
CVSS ベクトル
The primary mitigation for CVE-2021-21252 is to upgrade jQuery.Validation to version 1.19.3 or later, which contains the fix for the vulnerable regular expressions. If immediate upgrading is not feasible, consider implementing input validation and sanitization techniques to prevent malicious input from reaching the vulnerable regular expressions. Web Application Firewalls (WAFs) with regular expression filtering capabilities can also provide a temporary layer of protection. After upgrading, confirm the fix by testing the application with various input strings, including those known to trigger ReDoS vulnerabilities.
jquery-validationパッケージをバージョン1.19.3以降にアップデートしてください。これにより、正規表現によるサービス拒否 (ReDoS)の脆弱性が修正されます。npmまたはyarnを使用してパッケージをアップデートできます。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2021-21252 is a Denial of Service vulnerability in jQuery.Validation versions 1.9.0.1 and earlier, caused by vulnerable regular expressions that can lead to ReDoS attacks.
You are affected if your application uses jQuery.Validation version 1.9.0.1 or earlier. Check your project dependencies to determine if you are using a vulnerable version.
Upgrade jQuery.Validation to version 1.19.3 or later to resolve the vulnerability. If immediate upgrade is not possible, implement input validation and sanitization.
While no active campaigns have been publicly reported, ReDoS vulnerabilities are generally considered exploitable and public proof-of-concept exploits are available.
Refer to the GitHub Security Lab advisory and the jQuery.Validation project repository for details: https://github.com/jquery/jquery-validation/security/advisories/GHSA-5x4j-p347-497c
packages.lock.json ファイルをアップロードすると、影響の有無を即座にお知らせします。