You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cordova.apache.org by "Srutha Keerthi (JIRA)" <ji...@apache.org> on 2017/12/14 17:26:00 UTC
[jira] [Updated] (CB-13537) Regular Expression Denial of Service in
cordova-plugin-globalization's moment.js version 2.8.4 that is being used
[ https://issues.apache.org/jira/browse/CB-13537?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Srutha Keerthi updated CB-13537:
--------------------------------
Security: (was: Non-Public)
> Regular Expression Denial of Service in cordova-plugin-globalization's moment.js version 2.8.4 that is being used
> -----------------------------------------------------------------------------------------------------------------
>
> Key: CB-13537
> URL: https://issues.apache.org/jira/browse/CB-13537
> Project: Apache Cordova
> Issue Type: Bug
> Components: cordova-plugin-globalization
> Affects Versions: 3.0.0
> Environment: All users of globalization plugin
> Reporter: Srutha Keerthi
> Labels: security
> Fix For: 3.0.0
>
> Original Estimate: 6h
> Remaining Estimate: 6h
>
> Following critical and medium security violation was found on moment
> (version 2.8.4).
> This is used by the plugin cordova-plugin-globalization.
> This plugin obtains information and performs operations specific to the
> user's locale, language, and timezone
> Vulnerability
> The moment package is vulnerable to a Regular Expression Denial of
> Service (ReDoS). The moment.duration() method in moment.js contains a
> regular expression, used to determine if an input is of the ASP.NET
> date format, that can cause an application to hang. The aspNetRegex,
> the variable's name in the code, causes very slow processing of
> exponentially long repetitive sequences leading to a Denial of Service
> (DoS) due to excessive resource consumption. A remote attacker could
> exploit this flaw by supplying a specially crafted request URL
> containing long repetitive sequences to cause the denial of service
> (DoS).
> Link : https://nodesecurity.io/advisories/55
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org