CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
81.4%
moment is a JavaScript date library for parsing, validating, manipulating,
and formatting dates. Affected versions of moment were found to use an
inefficient parsing algorithm. Specifically using string-to-date parsing in
moment (more specifically rfc2822 parsing, which is tried by default) has
quadratic (N^2) complexity on specific inputs. Users may notice a
noticeable slowdown is observed with inputs above 10k characters. Users who
pass user-provided strings without sanity length checks to moment
constructor are vulnerable to (Re)DoS attacks. The problem is patched in
2.29.4, the patch can be applied to all affected versions with minimal
tweaking. Users are advised to upgrade. Users unable to upgrade should
consider limiting date lengths accepted from user input.
Author | Note |
---|---|
ccdm94 | postfixadmin in focal and earlier does not contain embedded copies of JavaScript moment. In jammy and later releases moment.js is available through Bootstrap rather than through an embedded upstream JavaScript moment code. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | gnucash | < any | UNKNOWN |
ubuntu | 20.04 | noarch | gnucash | < any | UNKNOWN |
ubuntu | 22.04 | noarch | gnucash | < any | UNKNOWN |
ubuntu | 24.04 | noarch | gnucash | < any | UNKNOWN |
ubuntu | 16.04 | noarch | gnucash | < any | UNKNOWN |
ubuntu | 18.04 | noarch | mediawiki | < any | UNKNOWN |
ubuntu | 20.04 | noarch | mediawiki | < any | UNKNOWN |
ubuntu | 22.04 | noarch | mediawiki | < any | UNKNOWN |
ubuntu | 24.04 | noarch | mediawiki | < any | UNKNOWN |
ubuntu | 18.04 | noarch | node-moment | < 2.20.1+ds-1ubuntu0.1 | UNKNOWN |
github.com/moment/moment/pull/6015#issuecomment-1152961973
github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g
launchpad.net/bugs/cve/CVE-2022-31129
nvd.nist.gov/vuln/detail/CVE-2022-31129
security-tracker.debian.org/tracker/CVE-2022-31129
ubuntu.com/security/notices/USN-5559-1
ubuntu.com/security/notices/USN-6550-1
www.cve.org/CVERecord?id=CVE-2022-31129
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
81.4%