More information
#### Details
##### Impact
This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg `fr` is directly used to switch moment locale.
##### Patches
This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).
##### Workarounds
Sanitize user-provided locale name before passing it to moment.js.
##### References
_Are there any links users can visit to find out more?_
##### For more information
If you have any questions or comments about this advisory:
* Open an issue in [moment repo](https://togithub.com/moment/moment)
#### Severity
- CVSS Score: 7.5 / 10 (High)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N`
#### References
- [https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4](https://togithub.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4)
- [https://nvd.nist.gov/vuln/detail/CVE-2022-24785](https://nvd.nist.gov/vuln/detail/CVE-2022-24785)
- [https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5](https://togithub.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5)
- [https://github.com/moment/moment](https://togithub.com/moment/moment)
- [https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html](https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html)
- [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q)
- [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5)
- [https://security.netapp.com/advisory/ntap-20220513-0006](https://security.netapp.com/advisory/ntap-20220513-0006)
- [https://www.tenable.com/security/tns-2022-09](https://www.tenable.com/security/tns-2022-09)
This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-8hfj-j24r-96c4) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).
Moment.js vulnerable to Inefficient Regular Expression Complexity
More information
#### Details
##### Impact
* using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs
* noticeable slowdown is observed with inputs above 10k characters
* users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks
##### Patches
The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking.
##### Workarounds
In general, given the proliferation of ReDoS attacks, it makes sense to limit the length of the user input to something sane, like 200 characters or less. I haven't seen legitimate cases of date-time strings longer than that, so all moment users who do pass a user-originating string to constructor are encouraged to apply such a rudimentary filter, that would help with this but also most future ReDoS vulnerabilities.
##### References
There is an excellent writeup of the issue here: [https://github.com/moment/moment/pull/6015#issuecomment-1152961973](https://togithub.com/moment/moment/pull/6015#issuecomment-1152961973)=
##### Details
The issue is rooted in the code that removes legacy comments (stuff inside parenthesis) from strings during rfc2822 parsing. `moment("(".repeat(500000))` will take a few minutes to process, which is unacceptable.
#### Severity
- CVSS Score: 7.5 / 10 (High)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`
#### References
- [https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g](https://togithub.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g)
- [https://nvd.nist.gov/vuln/detail/CVE-2022-31129](https://nvd.nist.gov/vuln/detail/CVE-2022-31129)
- [https://github.com/moment/moment/pull/6015#issuecomment-1152961973](https://togithub.com/moment/moment/pull/6015#issuecomment-1152961973)
- [https://github.com/moment/moment/pull/6015/commits/4bbb9f3ccbe231de40207503f344fe5ce97584f4](https://togithub.com/moment/moment/pull/6015/commits/4bbb9f3ccbe231de40207503f344fe5ce97584f4)
- [https://github.com/moment/moment/pull/6015/commits/bfd4f2375d5c1a2106246721d693a9611dddfbfe](https://togithub.com/moment/moment/pull/6015/commits/bfd4f2375d5c1a2106246721d693a9611dddfbfe)
- [https://github.com/moment/moment/pull/6015/commits/dc0d180e90d8a84f7ff13572363330a22b3ea504](https://togithub.com/moment/moment/pull/6015/commits/dc0d180e90d8a84f7ff13572363330a22b3ea504)
- [https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3](https://togithub.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3)
- [https://github.com/moment/moment](https://togithub.com/moment/moment)
- [https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633](https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633)
- [https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html](https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html)
- [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q)
- [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O)
- [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5)
- [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO)
- [https://security.netapp.com/advisory/ntap-20221014-0003](https://security.netapp.com/advisory/ntap-20221014-0003)
This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-wc69-rhjr-hc9g) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).
This PR contains the following updates:
2.29.1
->2.29.4
Path Traversal: 'dir/../../filename' in moment.locale
CVE-2022-24785 / GHSA-8hfj-j24r-96c4
More information
#### Details ##### Impact This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg `fr` is directly used to switch moment locale. ##### Patches This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive). ##### Workarounds Sanitize user-provided locale name before passing it to moment.js. ##### References _Are there any links users can visit to find out more?_ ##### For more information If you have any questions or comments about this advisory: * Open an issue in [moment repo](https://togithub.com/moment/moment) #### Severity - CVSS Score: 7.5 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N` #### References - [https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4](https://togithub.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4) - [https://nvd.nist.gov/vuln/detail/CVE-2022-24785](https://nvd.nist.gov/vuln/detail/CVE-2022-24785) - [https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5](https://togithub.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5) - [https://github.com/moment/moment](https://togithub.com/moment/moment) - [https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html](https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html) - [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q) - [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5) - [https://security.netapp.com/advisory/ntap-20220513-0006](https://security.netapp.com/advisory/ntap-20220513-0006) - [https://www.tenable.com/security/tns-2022-09](https://www.tenable.com/security/tns-2022-09) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-8hfj-j24r-96c4) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).Moment.js vulnerable to Inefficient Regular Expression Complexity
CVE-2022-31129 / CVE-2023-22467 / GHSA-3xq5-wjfh-ppjc / GHSA-wc69-rhjr-hc9g
More information
#### Details ##### Impact * using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs * noticeable slowdown is observed with inputs above 10k characters * users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks ##### Patches The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. ##### Workarounds In general, given the proliferation of ReDoS attacks, it makes sense to limit the length of the user input to something sane, like 200 characters or less. I haven't seen legitimate cases of date-time strings longer than that, so all moment users who do pass a user-originating string to constructor are encouraged to apply such a rudimentary filter, that would help with this but also most future ReDoS vulnerabilities. ##### References There is an excellent writeup of the issue here: [https://github.com/moment/moment/pull/6015#issuecomment-1152961973](https://togithub.com/moment/moment/pull/6015#issuecomment-1152961973)= ##### Details The issue is rooted in the code that removes legacy comments (stuff inside parenthesis) from strings during rfc2822 parsing. `moment("(".repeat(500000))` will take a few minutes to process, which is unacceptable. #### Severity - CVSS Score: 7.5 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` #### References - [https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g](https://togithub.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g) - [https://nvd.nist.gov/vuln/detail/CVE-2022-31129](https://nvd.nist.gov/vuln/detail/CVE-2022-31129) - [https://github.com/moment/moment/pull/6015#issuecomment-1152961973](https://togithub.com/moment/moment/pull/6015#issuecomment-1152961973) - [https://github.com/moment/moment/pull/6015/commits/4bbb9f3ccbe231de40207503f344fe5ce97584f4](https://togithub.com/moment/moment/pull/6015/commits/4bbb9f3ccbe231de40207503f344fe5ce97584f4) - [https://github.com/moment/moment/pull/6015/commits/bfd4f2375d5c1a2106246721d693a9611dddfbfe](https://togithub.com/moment/moment/pull/6015/commits/bfd4f2375d5c1a2106246721d693a9611dddfbfe) - [https://github.com/moment/moment/pull/6015/commits/dc0d180e90d8a84f7ff13572363330a22b3ea504](https://togithub.com/moment/moment/pull/6015/commits/dc0d180e90d8a84f7ff13572363330a22b3ea504) - [https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3](https://togithub.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3) - [https://github.com/moment/moment](https://togithub.com/moment/moment) - [https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633](https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633) - [https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html](https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html) - [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q) - [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O) - [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5) - [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO) - [https://security.netapp.com/advisory/ntap-20221014-0003](https://security.netapp.com/advisory/ntap-20221014-0003) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-wc69-rhjr-hc9g) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).Release Notes
moment/moment (moment)
### [`v2.29.4`](https://togithub.com/moment/moment/blob/HEAD/CHANGELOG.md#2294) [Compare Source](https://togithub.com/moment/moment/compare/2.29.3...2.29.4) - Release Jul 6, 2022 - [#6015](https://togithub.com/moment/moment/pull/6015) \[bugfix] Fix ReDoS in preprocessRFC2822 regex ### [`v2.29.3`](https://togithub.com/moment/moment/blob/HEAD/CHANGELOG.md#2293-Full-changelog) [Compare Source](https://togithub.com/moment/moment/compare/2.29.2...2.29.3) - Release Apr 17, 2022 - [#5995](https://togithub.com/moment/moment/pull/5995) \[bugfix] Remove const usage - [#5990](https://togithub.com/moment/moment/pull/5990) misc: fix advisory link ### [`v2.29.2`](https://togithub.com/moment/moment/blob/HEAD/CHANGELOG.md#2292-See-full-changelog) [Compare Source](https://togithub.com/moment/moment/compare/2.29.1...2.29.2) - Release Apr 3 2022 Address https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.