// For flags

CVE-2022-24785

Path Traversal in Moment.js

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.

Moment.js es una librería de fechas en JavaScript para analizar, comprobar, manipular y formatear fechas. Una vulnerabilidad de salto de ruta afecta a usuarios de npm (servidor) de Moment.js entre las versiones 1.0.1 y 2.29.1, especialmente si es usada directamente una cadena de configuración regional proporcionada por el usuario para cambiar la configuración regional de Moment. Este problema está parcheado en la versión 2.29.2, y el parche puede aplicarse a todas las versiones afectadas. Como medida de mitigación, sanee el nombre de la configuración regional proporcionada por el usuario antes de pasarlo a Moment.js

A path traversal vulnerability was found in Moment.js that impacts npm (server) users. This issue occurs if a user-provided locale string is directly used to switch moment locale, which an attacker can exploit to change the correct path to one of their choice. This can result in a loss of integrity.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-02-10 CVE Reserved
  • 2022-04-04 CVE Published
  • 2024-08-03 CVE Updated
  • 2024-11-08 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  • CWE-27: Path Traversal: 'dir/../../filename'
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Momentjs
Search vendor "Momentjs"
Moment
Search vendor "Momentjs" for product "Moment"
>= 1.0.1 < 2.29.2
Search vendor "Momentjs" for product "Moment" and version " >= 1.0.1 < 2.29.2"
node.js
Affected
Momentjs
Search vendor "Momentjs"
Moment
Search vendor "Momentjs" for product "Moment"
>= 1.0.1 < 2.29.2
Search vendor "Momentjs" for product "Moment" and version " >= 1.0.1 < 2.29.2"
nuget
Affected
Tenable
Search vendor "Tenable"
Tenable.sc
Search vendor "Tenable" for product "Tenable.sc"
< 5.21.0
Search vendor "Tenable" for product "Tenable.sc" and version " < 5.21.0"
-
Affected
Netapp
Search vendor "Netapp"
Active Iq
Search vendor "Netapp" for product "Active Iq"
--
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
35
Search vendor "Fedoraproject" for product "Fedora" and version "35"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
36
Search vendor "Fedoraproject" for product "Fedora" and version "36"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
10.0
Search vendor "Debian" for product "Debian Linux" and version "10.0"
-
Affected