7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.003 Low
EPSS
Percentile
70.7%
This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr
is directly used to switch moment locale.
This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).
Sanitize user-provided locale name before passing it to moment.js.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory:
github.com/moment/moment
github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5
github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4
lists.debian.org/debian-lts-announce/2023/01/msg00035.html
lists.fedoraproject.org/archives/list/[email protected]/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q
lists.fedoraproject.org/archives/list/[email protected]/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5
nvd.nist.gov/vuln/detail/CVE-2022-24785
security.netapp.com/advisory/ntap-20220513-0006
www.tenable.com/security/tns-2022-09
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.003 Low
EPSS
Percentile
70.7%