CVE-2022-31129
Published: 6 July 2022
moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
gnucash Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| focal |
Needs triage
|
|
| impish |
Ignored
(reached end-of-life)
|
|
| jammy |
Needs triage
|
|
| kinetic |
Needs triage
|
|
| trusty |
Ignored
(end of standard support, was needs-triage)
|
|
| upstream |
Needs triage
|
|
| xenial |
Needs triage
|
|
|
mediawiki Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| focal |
Needs triage
|
|
| impish |
Ignored
(reached end-of-life)
|
|
| jammy |
Needs triage
|
|
| kinetic |
Needs triage
|
|
| trusty |
Ignored
(end of standard support, was needs-triage)
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
node-moment Launchpad, Ubuntu, Debian |
bionic |
Released
(2.20.1+ds-1ubuntu0.1)
|
| focal |
Released
(2.24.0+ds-2ubuntu0.1)
|
|
| impish |
Ignored
(reached end-of-life)
|
|
| jammy |
Released
(2.29.1+ds-3ubuntu0.2)
|
|
| kinetic |
Pending
(2.29.4+ds-1)
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(2.29.4)
|
|
| xenial |
Needs triage
|
|
|
Patches: upstream: https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3 |
||
|
ntopng Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| focal |
Needs triage
|
|
| impish |
Does not exist
|
|
| jammy |
Needs triage
|
|
| kinetic |
Needs triage
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Needs triage
|
|
|
odoo Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| impish |
Ignored
(reached end-of-life)
|
|
| jammy |
Needs triage
|
|
| kinetic |
Needs triage
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
omnidb Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Needs triage
|
|
| impish |
Ignored
(reached end-of-life)
|
|
| jammy |
Needs triage
|
|
| kinetic |
Needs triage
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
postfixadmin Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| focal |
Needs triage
|
|
| impish |
Ignored
(reached end-of-life)
|
|
| jammy |
Needs triage
|
|
| kinetic |
Needs triage
|
|
| trusty |
Ignored
(end of standard support, was needs-triage)
|
|
| upstream |
Needs triage
|
|
| xenial |
Needs triage
|
|
|
ruby-momentjs-rails Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Needs triage
|
|
| impish |
Ignored
(reached end-of-life)
|
|
| jammy |
Needs triage
|
|
| kinetic |
Needs triage
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
sabnzbdplus Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| focal |
Needs triage
|
|
| impish |
Ignored
(reached end-of-life)
|
|
| jammy |
Needs triage
|
|
| kinetic |
Needs triage
|
|
| trusty |
Ignored
(end of standard support, was needs-triage)
|
|
| upstream |
Needs triage
|
|
| xenial |
Needs triage
|
|
|
syncthing Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| focal |
Needs triage
|
|
| impish |
Ignored
(reached end-of-life)
|
|
| jammy |
Needs triage
|
|
| kinetic |
Needs triage
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
wordpress Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| focal |
Needs triage
|
|
| impish |
Ignored
(reached end-of-life)
|
|
| jammy |
Needs triage
|
|
| kinetic |
Needs triage
|
|
| trusty |
Ignored
(end of standard support, was needs-triage)
|
|
| upstream |
Needs triage
|
|
| xenial |
Needs triage
|
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.5 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |