CVE-2022-24785

Description

Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.

CVSS Metrics

• v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
• v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:N/I:P/A:N

EPSS Trends

Current EPSS score: 1.83%• Percentile: 83%

Techniques & Countermeasures

• CWE-22•Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

• CWE-27•Path Traversal: 'dir/../../filename'

  The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize multiple internal "../" sequences that can resolve to a location that is outside of that directory.

Affected Systems

• debian•debian_linux

  10.0

• fedoraproject•fedora

  35 | 36

• moment•moment

  ≥ 1.0.1, < 2.29.2

• momentjs•moment

  ≥ 1.0.1, < 2.29.2

• netapp•active_iq

  na

• Npm•moment

  < 2.29.2

• NuGet•Moment.js

  < 2.29.2

• tenable•tenable.sc

  < 5.21.0

References (16)

• https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4
• https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5
• https://www.tenable.com/security/tns-2022-09
• https://security.netapp.com/advisory/ntap-20220513-0006/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/
• https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html
• https://security.netapp.com/advisory/ntap-20241108-0002/
• https://nvd.nist.gov/vuln/detail/CVE-2022-24785
• https://github.com/moment/moment
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5
• https://security.netapp.com/advisory/ntap-20220513-0006
• https://security.netapp.com/advisory/ntap-20241108-0002