- ----------------------------------------------------------------------- Debian LTS Advisory DLA-3295-1 [email protected] https://www.debian.org/lts/security/ Utkarsh Gupta January 31, 2023 https://wiki.debian.org/LTS - ----------------------------------------------------------------------- Package : node-moment Version : 2.24.0+ds-1+deb10u1 CVE ID : CVE-2022-24785 CVE-2022-31129 Debian Bug : 1009327 1014845 Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A couple of vulnerabilities were reported as follows: CVE-2022-24785 A path traversal vulnerability impacts npm (server) users of Moment.js, especially if a user-provided locale string is directly used to switch moment locale. CVE-2022-31129 Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. For Debian 10 buster, these problems have been fixed in version 2.24.0+ds-1+deb10u1. We recommend that you upgrade your node-moment packages. For the detailed security status of node-moment please refer to its security tracker page at: https://security-tracker.debian.org/tracker/node-moment Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Debian LTS: DLA-3295-1: node-moment security update
January 30, 2023
Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates
Summary
CVE-2022-24785
A path traversal vulnerability impacts npm (server) users of
Moment.js, especially if a user-provided locale string is directly
used to switch moment locale.
CVE-2022-31129
Affected versions of moment were found to use an inefficient
parsing algorithm. Specifically using string-to-date parsing in
moment (more specifically rfc2822 parsing, which is tried by
default) has quadratic (N^2) complexity on specific inputs. Users
may notice a noticeable slowdown is observed with inputs above 10k
characters. Users who pass user-provided strings without sanity
length checks to moment constructor are vulnerable to (Re)DoS
attacks.
For Debian 10 buster, these problems have been fixed in version
2.24.0+ds-1+deb10u1.
We recommend that you upgrade your node-moment packages.
For the detailed security status of node-moment please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/node-moment
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Severity
Package : node-moment
Version : 2.24.0+ds-1+deb10u1
CVE ID : CVE-2022-24785 CVE-2022-31129
Debian Bug : 1009327 1014845
News
HOWTOs
Features
Best Linux Backup Solutions to Prevent Data Loss in A Ransomware Attack
ManageEngine Vulnerability Manager Plus: How To Protect Your Enterprise from Security Vulnerabilities
High-Impact DoS, Arbitrary Code Execution, Spoofing Bugs Fixed in Thunderbird 102.9.0
A Guide to Business Cybersecurity: Common Digital Attacks and Precautions
New Linux IceFire Ransomware Variant Discovered: What You Need to Know to Secure Your Systems
About Us
Powered By
