Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2022-24785

Published: 4 April 2022

Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.

Priority

Medium

Cvss 3 Severity Score

7.5

Score breakdown

Status

Package Release Status
nikola
Launchpad, Ubuntu, Debian
trusty Ignored
(out of standard support)
upstream Needs triage

xenial Needs triage

node-moment
Launchpad, Ubuntu, Debian
bionic
Released (2.20.1+ds-1ubuntu0.1)
focal
Released (2.24.0+ds-2ubuntu0.1)
impish Ignored
(reached end-of-life)
jammy
Released (2.29.1+ds-3ubuntu0.2)
trusty Ignored
(out of standard support)
upstream
Released (2.29.2+ds-1)
xenial Needs triage

Patches:
upstream: https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5

Severity score breakdown

Parameter Value
Base score 7.5
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact High
Availability impact None
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N