Open mend-for-github-com[bot] opened 3 months ago
Parse, manipulate, and display dates.
Library home page: https://registry.npmjs.org/moment/-/moment-2.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/express-jwt/node_modules/moment/package.json
Dependency Hierarchy: - express-jwt-0.1.3.tgz (Root Library) - jsonwebtoken-0.1.0.tgz - :x: **moment-2.0.0.tgz** (Vulnerable Library)
Found in base branch: master
The duration function in the moment package before 2.11.2 for Node.js allows remote attackers to cause a denial of service (CPU consumption) via a long string, aka a "regular expression Denial of Service (ReDoS)."
Publish Date: 2017-01-23
URL: CVE-2016-4055
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
Type: Upgrade version
Origin: https://github.com/advisories/GHSA-87vv-r9j6-g5qv
Release Date: 2017-01-23
Fix Resolution (moment): 2.11.2
Direct dependency fix Resolution (express-jwt): 0.1.4
CVE-2016-4055 - Medium Severity Vulnerability
Vulnerable Library - moment-2.0.0.tgz
Parse, manipulate, and display dates.
Library home page: https://registry.npmjs.org/moment/-/moment-2.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/express-jwt/node_modules/moment/package.json
Dependency Hierarchy: - express-jwt-0.1.3.tgz (Root Library) - jsonwebtoken-0.1.0.tgz - :x: **moment-2.0.0.tgz** (Vulnerable Library)
Found in base branch: master
Vulnerability Details
The duration function in the moment package before 2.11.2 for Node.js allows remote attackers to cause a denial of service (CPU consumption) via a long string, aka a "regular expression Denial of Service (ReDoS)."
Publish Date: 2017-01-23
URL: CVE-2016-4055
CVSS 3 Score Details (6.5)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://github.com/advisories/GHSA-87vv-r9j6-g5qv
Release Date: 2017-01-23
Fix Resolution (moment): 2.11.2
Direct dependency fix Resolution (express-jwt): 0.1.4