Srutha Keerthi created CB-13537:
-----------------------------------
Summary: Regular Expression Denial of Service in
cordova-plugin-globalization's moment.js version 2.8.4 that is being used
Key: CB-13537
URL: https://issues.apache.org/jira/browse/CB-13537
Project: Apache Cordova
Issue Type: Bug
Components: cordova-plugin-globalization
Affects Versions: 3.0.0
Environment: All users of globalization plugin
Reporter: Srutha Keerthi
Fix For: 3.0.0
Following critical and medium security violation was found on moment
(version 2.8.4).
This is used by the plugin cordova-plugin-globalization.
This plugin obtains information and performs operations specific to the
user's locale, language, and timezone
Vulnerability
The moment package is vulnerable to a Regular Expression Denial of
Service (ReDoS). The moment.duration() method in moment.js contains a
regular expression, used to determine if an input is of the ASP.NET
date format, that can cause an application to hang. The aspNetRegex,
the variable's name in the code, causes very slow processing of
exponentially long repetitive sequences leading to a Denial of Service
(DoS) due to excessive resource consumption. A remote attacker could
exploit this flaw by supplying a specially crafted request URL
containing long repetitive sequences to cause the denial of service
(DoS).
Link : https://nodesecurity.io/advisories/55
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@cordova.apache.org
For additional commands, e-mail: issues-h...@cordova.apache.org
