CVE-2022-24785
Path Traversal in Moment.js
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.
Moment.js es una librería de fechas en JavaScript para analizar, comprobar, manipular y formatear fechas. Una vulnerabilidad de salto de ruta afecta a usuarios de npm (servidor) de Moment.js entre las versiones 1.0.1 y 2.29.1, especialmente si es usada directamente una cadena de configuración regional proporcionada por el usuario para cambiar la configuración regional de Moment. Este problema está parcheado en la versión 2.29.2, y el parche puede aplicarse a todas las versiones afectadas. Como medida de mitigación, sanee el nombre de la configuración regional proporcionada por el usuario antes de pasarlo a Moment.js
A path traversal vulnerability was found in Moment.js that impacts npm (server) users. This issue occurs if a user-provided locale string is directly used to switch moment locale, which an attacker can exploit to change the correct path to one of their choice. This can result in a loss of integrity.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-02-10 CVE Reserved
- 2022-04-04 CVE Published
- 2024-08-03 CVE Updated
- 2024-11-08 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- CWE-27: Path Traversal: 'dir/../../filename'
CAPEC
References (9)
| URL | Tag | Source |
|---|---|---|
| https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html | Mailing List |
|
| https://security.netapp.com/advisory/ntap-20220513-0006 | Third Party Advisory |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5 | 2023-11-07 | |
| https://www.tenable.com/security/tns-2022-09 | 2023-11-07 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Momentjs Search vendor "Momentjs" | Moment Search vendor "Momentjs" for product "Moment" | >= 1.0.1 < 2.29.2 Search vendor "Momentjs" for product "Moment" and version " >= 1.0.1 < 2.29.2" | node.js |
Affected
| ||||||
| Momentjs Search vendor "Momentjs" | Moment Search vendor "Momentjs" for product "Moment" | >= 1.0.1 < 2.29.2 Search vendor "Momentjs" for product "Moment" and version " >= 1.0.1 < 2.29.2" | nuget |
Affected
| ||||||
| Tenable Search vendor "Tenable" | Tenable.sc Search vendor "Tenable" for product "Tenable.sc" | < 5.21.0 Search vendor "Tenable" for product "Tenable.sc" and version " < 5.21.0" | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Active Iq Search vendor "Netapp" for product "Active Iq" | - | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 35 Search vendor "Fedoraproject" for product "Fedora" and version "35" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 36 Search vendor "Fedoraproject" for product "Fedora" and version "36" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||