CVE-2022-31129
Description
moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.
Risk Information
Base Score
7.5
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score
Exploitation Probability
3.435
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Multiple vulnerabilities are fixed in Nessus Agent (x64) (10.3.1) | Windows |
| Multiple vulnerabilities are fixed in Nessus Agent (10.3.1) | Windows |
| Multiple vulnerabilities are fixed in Tenable Nessus 10.3.1 | Windows |
| Multiple vulnerabilities are affected in Oracle PeopleSoft Enterprise PeopleTools 8.58 | Windows |
| Multiple vulnerabilities are affected in Oracle PeopleSoft Enterprise PeopleTools 8.59 | Windows |
| Multiple vulnerabilities are affected in Oracle PeopleSoft Enterprise PeopleTools 8.60 | Windows |
| Multiple Vulnerabilities are affected in IBM WebMethods Integration Server 10.15 | Windows |
| Multiple Vulnerabilities are affected in IBM Cognos Analytics 11.1 | Windows |
| Multiple Vulnerabilities are affected in IBM Cognos Analytics 11.2 | Windows |
| Multiple Vulnerabilities are affected in IBM WebMethods Integration Server 10.11 | Windows |
| Multiple Vulnerabilities are affected in IBM WebMethods Integration Server 11.1 | Windows |
| Vulnerabilities CVE-2022-31129 are fixed in Nuget - Moment.js 2.29.4 | Windows |
| Work with dates in JavaScript (Node.js module) (USN-5559-1) node-moment_2.20.1+ds-1ubuntu0.1_all.deb | Linux |
| Work with dates in JavaScript (Node.js module) (USN-5559-1) node-moment_2.24.0+ds-2ubuntu0.1_all.deb | Linux |
| Work with dates in JavaScript (Node.js module) (USN-5559-1) node-moment_2.29.1+ds-3ubuntu0.2_all.deb | Linux |
| Work with dates in JavaScript (Node.js module) (USN-5559-1) libjs-moment_2.20.1+ds-1ubuntu0.1_all.deb | Linux |
| Work with dates in JavaScript (Node.js module) (USN-5559-1) libjs-moment_2.24.0+ds-2ubuntu0.1_all.deb | Linux |
| Work with dates in JavaScript (Node.js module) (USN-5559-1) libjs-moment_2.29.1+ds-3ubuntu0.2_all.deb | Linux |
| (RHSA-2023:3623) Red Hat Ceph Storage 6.1 security and bug fix update ansible-collection-ansible-posix-1.2.0-1.3.el9ost.noarch.rpm | Linux |
| (RHSA-2023:3623) Red Hat Ceph Storage 6.1 security and bug fix update ceph-base-17.2.6-70.el9cp.x86_64.rpm | Linux |
| (RHSA-2023:3623) Red Hat Ceph Storage 6.1 security and bug fix update ceph-common-17.2.6-70.el9cp.x86_64.rpm | Linux |
| (RHSA-2023:3623) Red Hat Ceph Storage 6.1 security and bug fix update ceph-debugsource-17.2.6-70.el9cp.x86_64.rpm | Linux |
| (RHSA-2023:3623) Red Hat Ceph Storage 6.1 security and bug fix update ceph-fuse-17.2.6-70.el9cp.x86_64.rpm | Linux |
| (RHSA-2023:3623) Red Hat Ceph Storage 6.1 security and bug fix update ceph-immutable-object-cache-17.2.6-70.el9cp.x86_64.rpm | Linux |
| (RHSA-2023:3623) Red Hat Ceph Storage 6.1 security and bug fix update ceph-mib-17.2.6-70.el9cp.noarch.rpm | Linux |
| (RHSA-2023:3623) Red Hat Ceph Storage 6.1 security and bug fix update ceph-resource-agents-17.2.6-70.el9cp.noarch.rpm | Linux |
| (RHSA-2023:3623) Red Hat Ceph Storage 6.1 security and bug fix update ceph-selinux-17.2.6-70.el9cp.x86_64.rpm | Linux |
| (RHSA-2023:3623) Red Hat Ceph Storage 6.1 security and bug fix update cephadm-17.2.6-70.el9cp.noarch.rpm | Linux |
| (RHSA-2023:3623) Red Hat Ceph Storage 6.1 security and bug fix update cephadm-ansible-2.15.0-1.el9cp.noarch.rpm | Linux |
| (RHSA-2023:3623) Red Hat Ceph Storage 6.1 security and bug fix update cephfs-top-17.2.6-70.el9cp.noarch.rpm | Linux |
| (RHSA-2023:3623) Red Hat Ceph Storage 6.1 security and bug fix update libcephfs-devel-17.2.6-70.el9cp.x86_64.rpm | Linux |
| (RHSA-2023:3623) Red Hat Ceph Storage 6.1 security and bug fix update libcephfs2-17.2.6-70.el9cp.x86_64.rpm | Linux |
| (RHSA-2023:3623) Red Hat Ceph Storage 6.1 security and bug fix update librados-devel-17.2.6-70.el9cp.x86_64.rpm | Linux |
| (RHSA-2023:3623) Red Hat Ceph Storage 6.1 security and bug fix update librados2-17.2.6-70.el9cp.x86_64.rpm | Linux |
| (RHSA-2023:3623) Red Hat Ceph Storage 6.1 security and bug fix update libradospp-devel-17.2.6-70.el9cp.x86_64.rpm | Linux |
| (RHSA-2023:3623) Red Hat Ceph Storage 6.1 security and bug fix update libradosstriper1-17.2.6-70.el9cp.x86_64.rpm | Linux |
| (RHSA-2023:3623) Red Hat Ceph Storage 6.1 security and bug fix update librbd-devel-17.2.6-70.el9cp.x86_64.rpm | Linux |
| (RHSA-2023:3623) Red Hat Ceph Storage 6.1 security and bug fix update librbd1-17.2.6-70.el9cp.x86_64.rpm | Linux |
| (RHSA-2023:3623) Red Hat Ceph Storage 6.1 security and bug fix update librgw-devel-17.2.6-70.el9cp.x86_64.rpm | Linux |
| (RHSA-2023:3623) Red Hat Ceph Storage 6.1 security and bug fix update librgw2-17.2.6-70.el9cp.x86_64.rpm | Linux |
| (RHSA-2023:3623) Red Hat Ceph Storage 6.1 security and bug fix update python3-ceph-argparse-17.2.6-70.el9cp.x86_64.rpm | Linux |
| (RHSA-2023:3623) Red Hat Ceph Storage 6.1 security and bug fix update python3-ceph-common-17.2.6-70.el9cp.x86_64.rpm | Linux |
| (RHSA-2023:3623) Red Hat Ceph Storage 6.1 security and bug fix update python3-cephfs-17.2.6-70.el9cp.x86_64.rpm | Linux |
| (RHSA-2023:3623) Red Hat Ceph Storage 6.1 security and bug fix update python3-rados-17.2.6-70.el9cp.x86_64.rpm | Linux |
| (RHSA-2023:3623) Red Hat Ceph Storage 6.1 security and bug fix update python3-rbd-17.2.6-70.el9cp.x86_64.rpm | Linux |
| (RHSA-2023:3623) Red Hat Ceph Storage 6.1 security and bug fix update python3-rgw-17.2.6-70.el9cp.x86_64.rpm | Linux |
| (RHSA-2023:3623) Red Hat Ceph Storage 6.1 security and bug fix update rbd-nbd-17.2.6-70.el9cp.x86_64.rpm | Linux |
| Vulnerabilities CVE-2022-31129 are fixed in Nuget - Moment.js for Linux 2.29.4 | Linux |
Patch Details
Click to see the patches provided by ManageEngine for this CVE
| Patch ID | Patch Description |
|---|---|
| PATCH-346982 | Nessus Agent (x64) (10.8.4) (Manual Upload Required) |
| PATCH-346981 | Nessus Agent (10.8.4) (Manual Upload Required) |
References
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234