CVE-2022-24785
Summary
| CVE | CVE-2022-24785 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2022-04-04 17:15:00 UTC |
| Updated | 2023-11-07 03:44:00 UTC |
| Description | Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js. |
Risk And Classification
Problem Types: CWE-22 | CWE-27
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Debian | Debian Linux | 10.0 | All | All | All |
| Operating System | Fedoraproject | Fedora | 35 | All | All | All |
| Operating System | Fedoraproject | Fedora | 36 | All | All | All |
| Application | Momentjs | Moment | All | All | All | All |
| Application | Momentjs | Moment | All | All | All | All |
| Application | Netapp | Active Iq | - | All | All | All |
| Application | Tenable | Tenable.sc | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| [SECURITY] Fedora 35 Update: python-notebook-6.4.0-4.fc35 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] [DLA 3295-1] node-moment security update | MLIST | lists.debian.org | |
| [R1] Tenable.sc 5.21.0 Fixes Multiple Third-Party Vulnerabilities - Security Advisory | Tenable® | CONFIRM | www.tenable.com | |
| [SECURITY] Fedora 36 Update: python-notebook-6.4.11-3.fc36 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| CVE-2022-24785 NPM Vulnerability in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | |
| [bugfix] Avoid loading path-looking locales from fs · moment/moment@4211bfc · GitHub | MISC | github.com | |
| Path Traversal: 'dir/../../filename' in moment.locale · Advisory · moment/moment · GitHub | CONFIRM | github.com | |
| [SECURITY] Fedora 35 Update: python-notebook-6.4.0-4.fc35 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 36 Update: python-notebook-6.4.11-3.fc36 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 180817 Debian Security Update for node-moment (CVE-2022-24785)
- 181530 Debian Security Update for node-moment (DLA 3295-1)
- 198899 Ubuntu Security Notification for Moment.js Vulnerabilities (USN-5559-1)
- 240458 Red Hat Update for JBoss Enterprise Application Platform 7.4.5 on RHEL 7 (RHSA-2022:4918)
- 240459 Red Hat Update for JBoss Enterprise Application Platform 7.4.5 on RHEL 8 (RHSA-2022:4919)
- 241043 Red Hat Update for red hat ceph storage 5.3 (RHSA-2023:0076)
- 282965 Fedora Security Update for python (FEDORA-2022-35b698150c)
- 282966 Fedora Security Update for python (FEDORA-2022-85aa8e5706)
- 285305 Fedora Security Update for python (FEDORA-2023-3256575fc8)
- 378004 Splunk Enterprise Multiple Vulnerabilities (SVD-2023-0215,SVD-2023-0211,SVD-2023-0208)