Mayank Kunwar created TEZ-4573:
----------------------------------
Summary: Upgrade momentjs to 2.29.4 due to CVE-2022-24785,
CVE-2022-31129 and CVE-2017-18214
Key: TEZ-4573
URL: https://issues.apache.org/jira/browse/TEZ-4573
Project: Apache Tez
Issue Type: Task
Reporter: Mayank Kunwar
Upgrade momentjs to 2.29.4 due to CVE-2022-24785, CVE-2022-31129 and
CVE-2017-18214
CVE-2022-24785 - A path traversal vulnerability impacts npm (server) users of
Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided
locale string is directly used to switch moment locale.
CVSSv3 Score:- 6.5(Medium)
[https://nvd.nist.gov/vuln/detail/CVE-2023-45857]
CVE-2022-31129 - Affected versions of moment were found to use an inefficient
parsing algorithm. Specifically using string-to-date parsing in moment (more
specifically rfc2822 parsing, which is tried by default) has quadratic (N^2)
complexity on specific inputs. Users may notice a noticeable slowdown is
observed with inputs above 10k characters. Users who pass user-provided strings
without sanity length checks to moment constructor are vulnerable to (Re)DoS
attacks.
CVSSv3 Score:- 7.5(High)
[https://nvd.nist.gov/vuln/detail/CVE-2022-31129]
CVE-2017-18214 - The moment module before 2.19.3 for Node.js is prone to a
regular expression denial of service via a crafted date string, a different
vulnerability than CVE-2016-4055.
CVSSv3 Score:- 7.5(High)
[https://nvd.nist.gov/vuln/detail/CVE-2017-18214]
Affected Path:-
[https://github.infra.cloudera.com/cdh/tez/blob/CDH-7.1.7.3000/tez-ui/src/main/webapp/yarn.lock#:~:text=%22moment%40%3E%3D%202.6.0,resolved%20%22https%3A//registry]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
