Uploaded image for project: 'Apache Cordova'
  1. Apache Cordova
  2. CB-13537

Regular Expression Denial of Service in cordova-plugin-globalization's moment.js version 2.8.4 that is being used

    XMLWordPrintableJSON

    Details

    • Flags:
      Patch, Important

      Description

      Following critical and medium security violation was found on moment
      (version 2.8.4).

      This is used by the plugin cordova-plugin-globalization.
      This plugin obtains information and performs operations specific to the
      user's locale, language, and timezone

      Vulnerability
      The moment package is vulnerable to a Regular Expression Denial of
      Service (ReDoS). The moment.duration() method in moment.js contains a
      regular expression, used to determine if an input is of the ASP.NET
      date format, that can cause an application to hang. The aspNetRegex,
      the variable's name in the code, causes very slow processing of
      exponentially long repetitive sequences leading to a Denial of Service
      (DoS) due to excessive resource consumption. A remote attacker could
      exploit this flaw by supplying a specially crafted request URL
      containing long repetitive sequences to cause the denial of service
      (DoS).

      Link : https://nodesecurity.io/advisories/55

       

       

      Further ReDoS fixes were provided and the moment.js version 2.19.3 and above solves the security vulnerability completely.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                sruthakeerthik Srutha Keerthi
              • Votes:
                1 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 6h
                  6h
                  Remaining:
                  Remaining Estimate - 6h
                  6h
                  Logged:
                  Time Spent - Not Specified
                  Not Specified