search

github / advisory-database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Creative Commons Attribution 4.0 International
1.75k stars 336 forks source link

[GHSA-j9m2-h2pv-wvph] Regular expression denial of service in jquery-validation #4998

Closed amita-seal closed 1 week ago

amita-seal commented 2 weeks ago

Updates

Comments The nupkg does not include the vulnerable code. The fixing commit https://github.com/jquery-validation/jquery-validation/commit/69cb17ed774b427f7e2ffcdf197968231725c30e changes code under additional-method.js, which isn't included in the nupkg:

unzip -l 'jquery.validation.1.17.0.nupkg'
Archive:  jquery.validation.1.17.0.nupkg
  Length      Date    Time    Name
---------  ---------- -----   ----
      502  01-25-2018 12:30   _rels/.rels
     1358  01-25-2018 12:30   jQuery.Validation.nuspec
    43876  01-25-2018 12:30   Content/Scripts/jquery.validate-vsdoc.js
    48696  01-25-2018 12:30   Content/Scripts/jquery.validate.js
    23261  01-25-2018 12:30   Content/Scripts/jquery.validate.min.js
     1239  01-25-2018 12:30   package/services/metadata/core-properties/08bfa72bc0cb4e739bbd265188027e4f.psmdcp
      447  01-25-2018 12:30   [Content_Types].xml
     9466  10-14-2018 21:01   .signature.p7s
shelbyc commented 1 week ago

Hi @amita-seal, I tried unzipping version 1.19.3 of the nupkg and got the same result as you, so I agree with removing jQuery.Validation as an affected product.

Screenshot 2024-11-12 at 9 52 49 AM
advisory-database[bot] commented 1 week ago

Hi @amita-seal! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!