Details
-
Bug
-
Status: Closed
-
Critical
-
Resolution: Fixed
-
3.0.0
-
None
-
All users of globalization plugin
-
Patch, Important
Description
Following critical and medium security violation was found on moment
(version 2.8.4).
This is used by the plugin cordova-plugin-globalization.
This plugin obtains information and performs operations specific to the
user's locale, language, and timezone
Vulnerability
The moment package is vulnerable to a Regular Expression Denial of
Service (ReDoS). The moment.duration() method in moment.js contains a
regular expression, used to determine if an input is of the ASP.NET
date format, that can cause an application to hang. The aspNetRegex,
the variable's name in the code, causes very slow processing of
exponentially long repetitive sequences leading to a Denial of Service
(DoS) due to excessive resource consumption. A remote attacker could
exploit this flaw by supplying a specially crafted request URL
containing long repetitive sequences to cause the denial of service
(DoS).
Link : https://nodesecurity.io/advisories/55
Further ReDoS fixes were provided and the moment.js version 2.19.3 and above solves the security vulnerability completely.
Attachments
Issue Links
- links to
