[jira] [Resolved] (TEZ-4573) Upgrade momentjs to 2.29.4 due to CVE-2022-24785, CVE-2022-31129 and CVE-2017-18214

Fri, 02 Aug 2024 09:20:45 -0700 


     [ 
https://issues.apache.org/jira/browse/TEZ-4573?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

László Bodor resolved TEZ-4573.
-------------------------------
    Resolution: Fixed

> Upgrade momentjs to 2.29.4 due to CVE-2022-24785, CVE-2022-31129 and 
> CVE-2017-18214
> -----------------------------------------------------------------------------------
>
>                 Key: TEZ-4573
>                 URL: https://issues.apache.org/jira/browse/TEZ-4573
>             Project: Apache Tez
>          Issue Type: Task
>            Reporter: Mayank Kunwar
>            Assignee: Mayank Kunwar
>            Priority: Major
>             Fix For: 0.10.4
>
>          Time Spent: 1h 20m
>  Remaining Estimate: 0h
>
> Upgrade momentjs to 2.29.4 due to CVE-2022-24785, CVE-2022-31129 and 
> CVE-2017-18214
> CVE-2022-24785 - A path traversal vulnerability impacts npm (server) users of 
> Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided 
> locale string is directly used to switch moment locale.
> CVSSv3 Score:- 6.5(Medium)
> [https://nvd.nist.gov/vuln/detail/CVE-2023-45857] 
> CVE-2022-31129 - Affected versions of moment were found to use an inefficient 
> parsing algorithm. Specifically using string-to-date parsing in moment (more 
> specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) 
> complexity on specific inputs. Users may notice a noticeable slowdown is 
> observed with inputs above 10k characters. Users who pass user-provided 
> strings without sanity length checks to moment constructor are vulnerable to 
> (Re)DoS attacks.
> CVSSv3 Score:- 7.5(High)
> [https://nvd.nist.gov/vuln/detail/CVE-2022-31129] 
> CVE-2017-18214 - The moment module before 2.19.3 for Node.js is prone to a 
> regular expression denial of service via a crafted date string, a different 
> vulnerability than CVE-2016-4055.
> CVSSv3 Score:- 7.5(High)
> [https://nvd.nist.gov/vuln/detail/CVE-2017-18214] 
> Affected Path:- 
> [https://github.infra.cloudera.com/cdh/tez/blob/CDH-7.1.7.3000/tez-ui/src/main/webapp/yarn.lock#:~:text=%22moment%40%3E%3D%202.6.0,resolved%20%22https%3A//registry]
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to