Srutha Keerthi created CB-13537: ----------------------------------- Summary: Regular Expression Denial of Service in cordova-plugin-globalization's moment.js version 2.8.4 that is being used Key: CB-13537 URL: https://issues.apache.org/jira/browse/CB-13537 Project: Apache Cordova Issue Type: Bug Components: cordova-plugin-globalization Affects Versions: 3.0.0 Environment: All users of globalization plugin Reporter: Srutha Keerthi Fix For: 3.0.0
Following critical and medium security violation was found on moment (version 2.8.4). This is used by the plugin cordova-plugin-globalization. This plugin obtains information and performs operations specific to the user's locale, language, and timezone Vulnerability The moment package is vulnerable to a Regular Expression Denial of Service (ReDoS). The moment.duration() method in moment.js contains a regular expression, used to determine if an input is of the ASP.NET date format, that can cause an application to hang. The aspNetRegex, the variable's name in the code, causes very slow processing of exponentially long repetitive sequences leading to a Denial of Service (DoS) due to excessive resource consumption. A remote attacker could exploit this flaw by supplying a specially crafted request URL containing long repetitive sequences to cause the denial of service (DoS). Link : https://nodesecurity.io/advisories/55 -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@cordova.apache.org For additional commands, e-mail: issues-h...@cordova.apache.org