EIQ-2019-0007#

ID

EIQ-2019-0007

CVE

CVE-2017-18214

Description

Moment.js is vulnerable to regular expression denial of service

Date

11 Feb 2019

Severity

2 - MEDIUM

CVSSv3 score

6.5

Status

✅ All versions

Assessment

Moment.js Node.js module versions 2.19.3 and earlier are vulnerable to low-severity regular expression denial of service when parsing dates as strings.

This can result in a denial of service (CPU consumption).

Note

This vulnerability is a false positive: EclecticIQ Platform uses Moment.js only to parse date and time values that signed-in platform users select through date and time picker elements in the web-based GUI.

The dependency parses and processes only internal, validated code.

Even in the case where a crafted regex were injected and sent to Moment.js for parsing, a DDoS would last only a few seconds; the web-based GUI would hang for a few seconds, before resuming normal functionality.

Mitigation

Update to Moment.js version 2.19.3 or later.

Affected versions

None

Notes

  • NVD assigns the vulnerability a 7.5 3 - HIGH CVSSv3 score.

  • Snyk assigns the vulnerability a 3.7 1 - LOW CVSSv3 score.

For more information, see: