This content cannot be displayed without JavaScript.
Please enable JavaScript and reload the page.

EIQ-2019-0007

ID	EIQ-2019-0007
CVE	CVE-2017-18214
Description	Moment.js is vulnerable to regular expression denial of service
Date	11 Feb 2019
Severity	2 - MEDIUM
CVSSv3 score	6.5
Status	All versions
Assessment	Moment.js Node.js module versions 2.19.3 and earlier are vulnerable to low-severity regular expression denial of service when parsing dates as strings. This can result in a denial of service (CPU consumption). This vulnerability is a false positive: EclecticIQ Platform uses Moment.js only to parse date and time values that signed-in platform users select through date and time picker elements in the web-based GUI. The dependency parses and processes only internal, validated code. Even in the case where a crafted regex were injected and sent to Moment.js for parsing, a DDoS would last only a few seconds; the web-based GUI would hang for a few seconds, before resuming normal functionality.
Mitigation	Update to Moment.js version 2.19.3 or later.
Affected versions	None
Notes	NVD assigns the vulnerability a 7.5 3 - HIGH CVSSv3 score. Snyk assigns the vulnerability a 3.7 1 - LOW CVSSv3 score. For more information, see: Regular Expression Denial of Service Regular Expression Denial of Service affecting moment package, versions <2.19.3 Vulnerable Regular Expression Fix for ReDOS vulnerability

< Back to all security issues and mitigation actions

In release notes 2.3.3

In release notes 2.3.4

In release notes 2.6.0