Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04aGZqLWoyNHItOTZjNM04JA
Path Traversal: 'dir/../../filename' in moment.locale
Impact
This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.
Patches
This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).
Workarounds
Sanitize user-provided locale name before passing it to moment.js.
References
Are there any links users can visit to find out more?
For more information
If you have any questions or comments about this advisory:
- Open an issue in moment repo
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04aGZqLWoyNHItOTZjNM04JA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 years ago
Updated: 5 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Identifiers: GHSA-8hfj-j24r-96c4, CVE-2022-24785
References:
- https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4
- https://nvd.nist.gov/vuln/detail/CVE-2022-24785
- https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5
- https://www.tenable.com/security/tns-2022-09
- https://security.netapp.com/advisory/ntap-20220513-0006/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/
- https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html
- https://github.com/advisories/GHSA-8hfj-j24r-96c4
Blast Radius: 46.0
Affected Packages
nuget:Moment.js
Dependent packages: 0Dependent repositories: 0
Downloads: 19,622,102 total
Affected Version Ranges: < 2.29.2
Fixed in: 2.29.2
All affected versions: 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.5.1, 1.6.0, 1.6.1, 1.6.2, 1.7.0, 1.7.1, 1.7.2, 2.0.0, 2.1.0, 2.2.0, 2.2.1, 2.3.0, 2.3.1, 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.7.0, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.9.0, 2.10.0, 2.10.1, 2.10.2, 2.10.3, 2.10.5, 2.10.6, 2.11.0, 2.11.1, 2.11.2, 2.12.0, 2.13.0, 2.14.1, 2.14.2, 2.14.3, 2.15.0, 2.15.1, 2.15.2, 2.16.0, 2.17.0, 2.17.1, 2.18.0, 2.18.1, 2.18.2, 2.19.0, 2.19.1, 2.19.2, 2.19.3, 2.19.4, 2.20.0, 2.20.1, 2.21.0, 2.22.0, 2.22.1, 2.22.2, 2.23.0, 2.24.0, 2.25.0, 2.25.1, 2.25.2, 2.26.0, 2.27.0, 2.28.0, 2.29.0, 2.29.1
All unaffected versions: 2.29.2, 2.29.3, 2.29.4, 2.30.0, 2.30.1
npm:moment
Dependent packages: 54,055Dependent repositories: 1,006,179
Downloads: 80,231,810 last month
Affected Version Ranges: < 2.29.2
Fixed in: 2.29.2
All affected versions: 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.5.1, 1.6.0, 1.6.1, 1.6.2, 1.7.0, 1.7.1, 1.7.2, 2.0.0, 2.1.0, 2.2.1, 2.3.0, 2.3.1, 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.7.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.9.0, 2.10.2, 2.10.3, 2.10.5, 2.10.6, 2.11.0, 2.11.1, 2.11.2, 2.12.0, 2.13.0, 2.14.0, 2.14.1, 2.15.0, 2.15.1, 2.15.2, 2.16.0, 2.17.0, 2.17.1, 2.18.0, 2.18.1, 2.19.0, 2.19.1, 2.19.2, 2.19.3, 2.19.4, 2.20.0, 2.20.1, 2.21.0, 2.22.0, 2.22.1, 2.22.2, 2.23.0, 2.24.0, 2.25.0, 2.25.1, 2.25.2, 2.25.3, 2.26.0, 2.27.0, 2.28.0, 2.29.0, 2.29.1
All unaffected versions: 2.29.2, 2.29.3, 2.29.4, 2.30.0, 2.30.1