[
https://issues.apache.org/jira/browse/CB-13537?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Srutha Keerthi updated CB-13537:
--------------------------------
Priority: Critical (was: Major)
> Regular Expression Denial of Service in cordova-plugin-globalization's
> moment.js version 2.8.4 that is being used
> -----------------------------------------------------------------------------------------------------------------
>
> Key: CB-13537
> URL: https://issues.apache.org/jira/browse/CB-13537
> Project: Apache Cordova
> Issue Type: Bug
> Components: cordova-plugin-globalization
> Affects Versions: 3.0.0
> Environment: All users of globalization plugin
> Reporter: Srutha Keerthi
> Priority: Critical
> Labels: security
> Fix For: 3.0.0
>
> Original Estimate: 6h
> Remaining Estimate: 6h
>
> Following critical and medium security violation was found on moment
> (version 2.8.4).
> This is used by the plugin cordova-plugin-globalization.
> This plugin obtains information and performs operations specific to the
> user's locale, language, and timezone
> Vulnerability
> The moment package is vulnerable to a Regular Expression Denial of
> Service (ReDoS). The moment.duration() method in moment.js contains a
> regular expression, used to determine if an input is of the ASP.NET
> date format, that can cause an application to hang. The aspNetRegex,
> the variable's name in the code, causes very slow processing of
> exponentially long repetitive sequences leading to a Denial of Service
> (DoS) due to excessive resource consumption. A remote attacker could
> exploit this flaw by supplying a specially crafted request URL
> containing long repetitive sequences to cause the denial of service
> (DoS).
> Link : https://nodesecurity.io/advisories/55
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
