You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cordova.apache.org by "Srutha Keerthi (JIRA)" <ji...@apache.org> on 2017/11/06 07:02:00 UTC

[jira] [Updated] (CB-13537) Regular Expression Denial of Service in cordova-plugin-globalization's moment.js version 2.8.4 that is being used

     [ https://issues.apache.org/jira/browse/CB-13537?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Srutha Keerthi updated CB-13537:
--------------------------------
    Priority: Minor  (was: Major)

> Regular Expression Denial of Service in cordova-plugin-globalization's moment.js version 2.8.4 that is being used
> -----------------------------------------------------------------------------------------------------------------
>
>                 Key: CB-13537
>                 URL: https://issues.apache.org/jira/browse/CB-13537
>             Project: Apache Cordova
>          Issue Type: Bug
>          Components: cordova-plugin-globalization
>    Affects Versions: 3.0.0
>         Environment: All users of globalization plugin
>            Reporter: Srutha Keerthi
>            Priority: Minor
>              Labels: security
>             Fix For: 3.0.0
>
>   Original Estimate: 6h
>  Remaining Estimate: 6h
>
> Following critical and medium security violation was found on moment
> (version 2.8.4).
> This is used by the plugin cordova-plugin-globalization.
> This plugin obtains information and performs operations specific to the
> user's locale, language, and timezone
> Vulnerability
> The moment package is vulnerable to a Regular Expression Denial of
> Service (ReDoS). The moment.duration() method in moment.js contains a
> regular expression, used to determine if an input is of the ASP.NET
> date format, that can cause an application to hang. The aspNetRegex,
> the variable's name in the code, causes very slow processing of
> exponentially long repetitive sequences leading to a Denial of Service
> (DoS) due to excessive resource consumption. A remote attacker could
> exploit this flaw by supplying a specially crafted request URL
> containing long repetitive sequences to cause the denial of service
> (DoS).
> Link : https://nodesecurity.io/advisories/55



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org