SB2022072729 - Denial of service in Moment.js
Published: July 27, 2022
Security Bulletin ID
SB2022072729
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Incorrect Regular Expression (CVE-ID: CVE-2022-31129)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper validation of user-supplied input when parsing overly long strings. A remote attacker can pass a string that contains more that 10k characters and perform regular expression denial of service (ReDoS) attack.
Remediation
Install update from vendor's website.
References
- https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3
- https://github.com/moment/moment/pull/6015#issuecomment-1152961973
- https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g
- https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/