Rohit Kumar created HDDS-8288:
---------------------------------
Summary: Upgrade moment.js to 2.29.4 due to CVE-2022-24785,
CVE-2022-31129
Key: HDDS-8288
URL: https://issues.apache.org/jira/browse/HDDS-8288
Project: Apache Ozone
Issue Type: Task
Reporter: Rohit Kumar
*CVE-2022-24785* :- A path traversal vulnerability impacts npm (server) users
of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided
locale string is directly used to switch moment locale.
NVD link :- [https://nvd.nist.gov/vuln/detail/CVE-2022-24785]
*CVE-2022-31129 :* Affected versions of moment were found to use an inefficient
parsing algorithm. Specifically using string-to-date parsing in moment (more
specifically rfc2822 parsing, which is tried by default) has quadratic (N^2)
complexity on specific inputs. Users may notice a noticeable slowdown is
observed with inputs above 10k characters. Users who pass user-provided strings
without sanity length checks to moment constructor are vulnerable to (Re)DoS
attacks. The problem is patched in 2.29.4
Both of these CVEs are of High severity.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
