EIQ-2019-0007


ID

EIQ-2019-0007

CVE

CVE-2017-18214

Description

Moment.js is vulnerable to regular expression denial of service

Date

11 Feb 2019

Severity

2 - MEDIUM

CVSSv3 score

6.5

Status

images/docs.eclecticiq.com/s/en_US/8100/b0984b7297905b7c7bd946458f753ce0130bfc8c/_/images/icons/emoticons/check.svg All versions

Assessment

Moment.js Node.js module versions 2.19.3 and earlier are vulnerable to low-severity regular expression denial of service when parsing dates as strings.
This can result in a denial of service (CPU consumption).

This vulnerability is a false positive: EclecticIQ Platform uses Moment.js only to parse date and time values that signed-in platform users select through date and time picker elements in the web-based GUI.
The dependency parses and processes only internal, validated code.

Even in the case where a crafted regex were injected and sent to Moment.js for parsing, a DDoS would last only a few seconds; the web-based GUI would hang for a few seconds, before resuming normal functionality.

Mitigation

Update to Moment.js version 2.19.3 or later.

Affected versions

None

Notes

  • NVD assigns the vulnerability a 7.5 3 - HIGH CVSSv3 score.

  • Snyk assigns the vulnerability a 3.7 1 - LOW CVSSv3 score.

For more information, see:

< Back to all security issues and mitigation actions

In release notes 2.3.3

In release notes 2.3.4

In release notes 2.6.0