[jira] [Resolved] (CB-13537) Regular Expression Denial of Service in cordova-plugin-globalization's moment.js version 2.8.4 that is being used

Wed, 11 Jul 2018 16:14:33 -0700 


     [ 
https://issues.apache.org/jira/browse/CB-13537?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

jcesarmobile resolved CB-13537.
-------------------------------
       Resolution: Fixed
    Fix Version/s:     (was: 3.0.0)

this was fixed in 1.0.9

> Regular Expression Denial of Service in cordova-plugin-globalization's 
> moment.js version 2.8.4 that is being used
> -----------------------------------------------------------------------------------------------------------------
>
>                 Key: CB-13537
>                 URL: https://issues.apache.org/jira/browse/CB-13537
>             Project: Apache Cordova
>          Issue Type: Bug
>          Components: cordova-plugin-globalization (DEPRECATED)
>    Affects Versions: 3.0.0
>         Environment: All users of globalization plugin
>            Reporter: Srutha Keerthi
>            Priority: Critical
>              Labels: security
>   Original Estimate: 6h
>  Remaining Estimate: 6h
>
> Following critical and medium security violation was found on moment
>  (version 2.8.4).
> This is used by the plugin cordova-plugin-globalization.
>  This plugin obtains information and performs operations specific to the
>  user's locale, language, and timezone
> Vulnerability
>  The moment package is vulnerable to a Regular Expression Denial of
>  Service (ReDoS). The moment.duration() method in moment.js contains a
>  regular expression, used to determine if an input is of the ASP.NET
>  date format, that can cause an application to hang. The aspNetRegex,
>  the variable's name in the code, causes very slow processing of
>  exponentially long repetitive sequences leading to a Denial of Service
>  (DoS) due to excessive resource consumption. A remote attacker could
>  exploit this flaw by supplying a specially crafted request URL
>  containing long repetitive sequences to cause the denial of service
>  (DoS).
> Link : [https://nodesecurity.io/advisories/55]
>  
>  
> Further ReDoS fixes were provided and the moment.js version 2.19.3 and above 
> solves the security vulnerability completely.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to