CVE-2022-24785

ADVISORY - github

Summary

Impact

This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.

Patches

This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).

Workarounds

Sanitize user-provided locale name before passing it to moment.js.

References

Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory:

Open an issue in moment repo

EPSS Score⁠: 0.00724 (0.716)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-22⁠

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-27⁠

Path Traversal: 'dir/../../filename'

ADVISORY - github

CWE-22⁠

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-27⁠

Path Traversal: 'dir/../../filename'

ADVISORY - gitlab

CWE-1035⁠

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

CWE-22⁠

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-27⁠

Path Traversal: 'dir/../../filename'

CWE-937⁠

OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

ADVISORY - redhat

CWE-22⁠

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Impacted images

Advisories

NIST

CREATED

3 years ago

UPDATED

9 months ago

ADVISORY IDCVE-2022-24785⁠

EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-22⁠CWE-27⁠

CVSS SCORE

7.5high

GitHub

CREATED

3 years ago

UPDATED

3 years ago

ADVISORY IDGHSA-8hfj-j24r-96c4⁠

EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-22⁠CWE-27⁠

CVSS SCORE

7.5high

Debian

CREATED

3 years ago

UPDATED

23 days ago

ADVISORY IDCVE-2022-24785⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Ubuntu

CREATED

3 years ago

UPDATED

5 months ago

ADVISORY IDCVE-2022-24785⁠

EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

7.5medium

GitLab

CREATED

3 years ago

UPDATED

2 years ago

ADVISORY ID

CVE-2022-24785

EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-1035⁠CWE-22⁠CWE-27⁠CWE-937⁠

CVSS SCORE

7.5high

Red Hat

CREATED

3 years ago

UPDATED

5 months ago

ADVISORY IDCVE-2022-24785⁠

EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-22⁠

CVSS SCORE

7.5medium