CVE-2017-18214: The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string

smartystreets / goconvey

Go testing in the browser. Integrates with `go test`. Write behavioral tests in Go.

http://smartystreets.github.io/goconvey/

Other

8.25k stars 555 forks source link

CVE-2017-18214: The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string #592

Open ghost opened 4 years ago

ghost commented 4 years ago

There is a vulnerability in the moments.js library used by goconvey, which was confirmed here.

Risk assessment: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 7.5 (High)

This can be fixed by updating the library to a newer version.

kashok-splunk commented 3 years ago

Hi @jose-cortina Do we have any update on this? When the updated goconvey will be available?

ghost commented 3 years ago

Sorry @kashok-splunk, I am not maintaining this library and was merely reporting this vulnerability. As far as I can see, the moment.js was last updated 6 years ago.