search

geonetwork / core-geonetwork

GeoNetwork is a catalog application to manage spatially referenced resources. It provides powerful metadata editing and search functions as well as an interactive web map viewer. It is currently used in numerous Spatial Data Infrastructure initiatives across the world.
http://geonetwork-opensource.org/
GNU General Public License v2.0
412 stars 487 forks source link

Severe ReDoS vulnerabilty: moment.js #3387

Open bchartier opened 5 years ago

bchartier commented 5 years ago

We have been informed of a severe regular expression Denial of Service (ReDoS) vulnerabilty caused by the use of an outdated version of moment.js by GeoNetwork:

fxprunayre commented 5 years ago

Thanks, for reporting, it looks like 3.4.x and master are both using moment 2.18.1 cf. https://github.com/geonetwork/core-geonetwork/blob/3.4.x/web-ui/src/main/resources/catalog/lib/moment+langs.min.js#L82. Which version are you using ?

bchartier commented 5 years ago

Hum 3.2.2. Sorry. So, this vulnerability has been fixed as I can see in your answer. Sorry again for this outdated alert.

fxprunayre commented 5 years ago

You can safely cherry-pick the commit if you need it applied to 3.2.2 https://github.com/geonetwork/core-geonetwork/commit/313c7e2a452e908c1ff283c1b3e8e02ea7d2aa73#diff-56c156a44c44136483e50386ea7842aa

bchartier commented 5 years ago

Thank you very much.

bchartier commented 5 years ago

I closed this issue too quickly. An other vulnerabilty (less severe) exists with versions of Moment less than 2.19.3: see https://github.com/moment/moment/issues/4163 and https://nodesecurity.io/advisories/532

Sorry, I should have noticed this at the same time.

fxprunayre commented 5 years ago

Update done for 3.6.0.

bchartier commented 5 years ago

Thank you