You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cordova.apache.org by "Srutha Keerthi (JIRA)" <ji...@apache.org> on 2018/02/02 06:35:00 UTC
[jira] [Updated] (CB-13537) Regular Expression Denial of Service in
cordova-plugin-globalization's moment.js version 2.8.4 that is being used
[ https://issues.apache.org/jira/browse/CB-13537?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Srutha Keerthi updated CB-13537:
--------------------------------
Description:
Following critical and medium security violation was found on moment
(version 2.8.4).
This is used by the plugin cordova-plugin-globalization.
This plugin obtains information and performs operations specific to the
user's locale, language, and timezone
Vulnerability
The moment package is vulnerable to a Regular Expression Denial of
Service (ReDoS). The moment.duration() method in moment.js contains a
regular expression, used to determine if an input is of the ASP.NET
date format, that can cause an application to hang. The aspNetRegex,
the variable's name in the code, causes very slow processing of
exponentially long repetitive sequences leading to a Denial of Service
(DoS) due to excessive resource consumption. A remote attacker could
exploit this flaw by supplying a specially crafted request URL
containing long repetitive sequences to cause the denial of service
(DoS).
Link : [https://nodesecurity.io/advisories/55]
Further ReDoS fixes were provided and the moment.js version 2.19.3 and above solves the security vulnerability completely.
was:
Following critical and medium security violation was found on moment
(version 2.8.4).
This is used by the plugin cordova-plugin-globalization.
This plugin obtains information and performs operations specific to the
user's locale, language, and timezone
Vulnerability
The moment package is vulnerable to a Regular Expression Denial of
Service (ReDoS). The moment.duration() method in moment.js contains a
regular expression, used to determine if an input is of the ASP.NET
date format, that can cause an application to hang. The aspNetRegex,
the variable's name in the code, causes very slow processing of
exponentially long repetitive sequences leading to a Denial of Service
(DoS) due to excessive resource consumption. A remote attacker could
exploit this flaw by supplying a specially crafted request URL
containing long repetitive sequences to cause the denial of service
(DoS).
Link : https://nodesecurity.io/advisories/55
> Regular Expression Denial of Service in cordova-plugin-globalization's moment.js version 2.8.4 that is being used
> -----------------------------------------------------------------------------------------------------------------
>
> Key: CB-13537
> URL: https://issues.apache.org/jira/browse/CB-13537
> Project: Apache Cordova
> Issue Type: Bug
> Components: cordova-plugin-globalization
> Affects Versions: 3.0.0
> Environment: All users of globalization plugin
> Reporter: Srutha Keerthi
> Priority: Critical
> Labels: security
> Fix For: 3.0.0
>
> Original Estimate: 6h
> Remaining Estimate: 6h
>
> Following critical and medium security violation was found on moment
> (version 2.8.4).
> This is used by the plugin cordova-plugin-globalization.
> This plugin obtains information and performs operations specific to the
> user's locale, language, and timezone
> Vulnerability
> The moment package is vulnerable to a Regular Expression Denial of
> Service (ReDoS). The moment.duration() method in moment.js contains a
> regular expression, used to determine if an input is of the ASP.NET
> date format, that can cause an application to hang. The aspNetRegex,
> the variable's name in the code, causes very slow processing of
> exponentially long repetitive sequences leading to a Denial of Service
> (DoS) due to excessive resource consumption. A remote attacker could
> exploit this flaw by supplying a specially crafted request URL
> containing long repetitive sequences to cause the denial of service
> (DoS).
> Link : [https://nodesecurity.io/advisories/55]
>
>
> Further ReDoS fixes were provided and the moment.js version 2.19.3 and above solves the security vulnerability completely.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org