jquery-validation 1.14.0 - sonatype-2021-0040

[armorcodegithubqa]

The application is vulnerable by using this component.
The jquery-validation package is vulnerable to Regular Expression Denial of Service (ReDoS). The url function in jquery.validate.js and core.js uses an insecure regular expression to identify valid urls. A remote attacker can exploit this vulnerability by supplying an input that consists of a long and incomplete url, such as http://aaaaaaaaaa.. This will lead to catastrophic backtracking and result in a Denial of Service condition when the application attempts to process the attacker-supplied data.

Note: This vulnerability was assigned CVE-2021-21252

Package Url: pkg:a-name/jquery-validation@1.14.0
Display Name: jquery-validation 1.14.0
Path Names: 96b6153df00345c3ba2da88795570ea6/wwwroot/lib/jquery-validation/dist/additional-methods.js 96b6153df00345c3ba2da88795570ea6/wwwroot/lib/jquery-validation/dist/jquery.validate.js
Security Issue Reference: sonatype-2021-0040
Security Issue Severity: 7.5
Security Issue Source: sonatype
Security Issue Threat Category: critical
Security Issue Url: http://nexus-iq.armorcode.ai:8070/ui/links/vln/sonatype-2021-0040

File Path: 96b6153df00345c3ba2da88795570ea6/wwwroot/lib/jquery-validation/dist/additional-methods.js

Mitigation: We recommend upgrading to a version of this component that is not vulnerable to this specific issue.

Note: If this component is included as a bundled/transitive dependency of another component, there may not be an upgrade path. In this instance, we recommend contacting the maintainers who included the vulnerable package. Alternatively, we recommend investigating alternative components or a potential mitigating control.

jquery-validation/jquery-validation#2371
GHSA-jxwx-85vp-gvwm

Tool Finding Id: sonatype-2021-0040

[armorcodegithubqa]

Finding [104689312] status changed to Confirmed
Note:
by pragati.dubey@armorcode.io via ArmorCode Platform