Debian 10 Buster DLA-3295-1 Critical: Node-Moment Path Traversal and DoS
debian lts
January 30, 2023
Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates
Topics Covered
Summary
CVE-2022-24785
A path traversal vulnerability impacts npm (server) users of
Moment.js, especially if a user-provided locale string is directly
used to switch moment locale.
CVE-2022-31129
Affected versions of moment were found to use an inefficient
parsing algorithm. Specifically using string-to-date parsing in
moment (more specifically rfc2822 parsing, which is tried by
default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k
characters. Users who pass user-provided strings without sanity
length checks to moment constructor are vulnerable to (Re)DoS
attacks.
For Debian 10 buster, these problems have been fixed in version
2.24.0+ds-1+deb10u1.
We recommend that you upgrade your node-moment packages.
For the detailed security status of node-moment please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/node-moment
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: node-moment
Version: 2.24.0+ds-1+deb10u1
CVE ID: CVE-2022-24785 CVE-2022-31129
Debian Bug: 1009327 1014845
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!