[
https://issues.apache.org/jira/browse/HDDS-8288?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
ASF GitHub Bot updated HDDS-8288:
---------------------------------
Labels: pull-request-available (was: )
> Upgrade moment.js to 2.29.4 due to CVE-2022-24785, CVE-2022-31129
> -----------------------------------------------------------------
>
> Key: HDDS-8288
> URL: https://issues.apache.org/jira/browse/HDDS-8288
> Project: Apache Ozone
> Issue Type: Task
> Reporter: Rohit Kumar
> Assignee: Rohit Kumar
> Priority: Major
> Labels: pull-request-available
>
> *CVE-2022-24785* :- A path traversal vulnerability impacts npm (server) users
> of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided
> locale string is directly used to switch moment locale.
> NVD link :- [https://nvd.nist.gov/vuln/detail/CVE-2022-24785]
>
> *CVE-2022-31129 :* Affected versions of moment were found to use an
> inefficient parsing algorithm. Specifically using string-to-date parsing in
> moment (more specifically rfc2822 parsing, which is tried by default) has
> quadratic (N^2) complexity on specific inputs. Users may notice a noticeable
> slowdown is observed with inputs above 10k characters. Users who pass
> user-provided strings without sanity length checks to moment constructor are
> vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4
> Both of these CVEs are of High severity.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
