CVE-2022-31129
Published: 6 July 2022
moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
node-moment Launchpad, Ubuntu, Debian |
kinetic |
Not vulnerable
(2.29.4+ds-1)
|
| bionic |
Released
(2.20.1+ds-1ubuntu0.1)
|
|
| focal |
Released
(2.24.0+ds-2ubuntu0.1)
|
|
| impish |
Ignored
(end of life)
|
|
| jammy |
Released
(2.29.1+ds-3ubuntu0.2)
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(2.29.4)
|
|
| xenial |
Needs triage
|
|
| lunar |
Not vulnerable
(2.29.4+ds-1)
|
|
|
Patches: upstream: https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3 |
||
|
gnucash Launchpad, Ubuntu, Debian |
kinetic |
Ignored
(end of life, was needs-triage)
|
| impish |
Ignored
(end of life)
|
|
| trusty |
Ignored
(end of standard support, was needs-triage)
|
|
| bionic |
Needs triage
|
|
| focal |
Needs triage
|
|
| jammy |
Needs triage
|
|
| upstream |
Needs triage
|
|
| xenial |
Needs triage
|
|
| lunar |
Needs triage
|
|
|
mediawiki Launchpad, Ubuntu, Debian |
kinetic |
Ignored
(end of life, was needs-triage)
|
| impish |
Ignored
(end of life)
|
|
| jammy |
Needs triage
|
|
| trusty |
Ignored
(end of standard support, was needs-triage)
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
| bionic |
Needs triage
|
|
| focal |
Needs triage
|
|
| lunar |
Needs triage
|
|
|
ntopng Launchpad, Ubuntu, Debian |
kinetic |
Ignored
(end of life, was needs-triage)
|
| bionic |
Needs triage
|
|
| focal |
Needs triage
|
|
| impish |
Does not exist
|
|
| jammy |
Needs triage
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Needs triage
|
|
| lunar |
Needs triage
|
|
|
odoo Launchpad, Ubuntu, Debian |
kinetic |
Ignored
(end of life, was needs-triage)
|
| bionic |
Does not exist
|
|
| focal |
Does not exist
|
|
| impish |
Ignored
(end of life)
|
|
| jammy |
Needs triage
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
| lunar |
Needs triage
|
|
|
omnidb Launchpad, Ubuntu, Debian |
kinetic |
Ignored
(end of life, was needs-triage)
|
| bionic |
Does not exist
|
|
| focal |
Needs triage
|
|
| impish |
Ignored
(end of life)
|
|
| jammy |
Needs triage
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
| lunar |
Needs triage
|
|
|
postfixadmin Launchpad, Ubuntu, Debian |
kinetic |
Ignored
(end of life, was needs-triage)
|
| bionic |
Needs triage
|
|
| focal |
Needs triage
|
|
| impish |
Ignored
(end of life)
|
|
| jammy |
Needs triage
|
|
| trusty |
Ignored
(end of standard support, was needs-triage)
|
|
| upstream |
Needs triage
|
|
| xenial |
Needs triage
|
|
| lunar |
Needs triage
|
|
|
ruby-momentjs-rails Launchpad, Ubuntu, Debian |
kinetic |
Ignored
(end of life, was needs-triage)
|
| bionic |
Does not exist
|
|
| focal |
Needs triage
|
|
| impish |
Ignored
(end of life)
|
|
| jammy |
Needs triage
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
| lunar |
Needs triage
|
|
|
sabnzbdplus Launchpad, Ubuntu, Debian |
kinetic |
Ignored
(end of life, was needs-triage)
|
| bionic |
Needs triage
|
|
| focal |
Needs triage
|
|
| impish |
Ignored
(end of life)
|
|
| jammy |
Needs triage
|
|
| trusty |
Ignored
(end of standard support, was needs-triage)
|
|
| upstream |
Needs triage
|
|
| xenial |
Needs triage
|
|
| lunar |
Needs triage
|
|
|
syncthing Launchpad, Ubuntu, Debian |
kinetic |
Ignored
(end of life, was needs-triage)
|
| bionic |
Needs triage
|
|
| focal |
Needs triage
|
|
| impish |
Ignored
(end of life)
|
|
| jammy |
Needs triage
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
| lunar |
Needs triage
|
|
|
wordpress Launchpad, Ubuntu, Debian |
kinetic |
Ignored
(end of life, was needs-triage)
|
| bionic |
Needs triage
|
|
| focal |
Needs triage
|
|
| impish |
Ignored
(end of life)
|
|
| jammy |
Needs triage
|
|
| trusty |
Ignored
(end of standard support, was needs-triage)
|
|
| upstream |
Needs triage
|
|
| xenial |
Needs triage
|
|
| lunar |
Needs triage
|
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.5 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |