WS-2016-0006 Medium Severity Vulnerability detected by WhiteSource #1143
Labels
security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-bolt-for-github
bot
added
the
security vulnerability
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
WS-2016-0006 - Medium Severity Vulnerability
Parse, manipulate, and display dates.
path: /tmp/git/FinancialManager/web/assets/vendors/jqvmap/node_modules/moment/package.json
Library home page: http://registry.npmjs.org/moment/-/moment-2.0.0.tgz
Dependency Hierarchy:
Moment is vulnerable to regular expression denial of service when user input is passed unchecked into moment.duration() blocking the event loop for a period of time.
Publish Date: 2016-01-26
URL: WS-2016-0006
Base Score Metrics not available
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/55
Release Date: 2016-01-26
Fix Resolution: Please update to version 2.11.2 or greater. If you are unable to update more information is available below.
A fix has been made available in a pull request. Do not allow untrusted user input into
moment.duration()or truncate the length of the allowed input to reduce blocking potential.in moment.js change line 1819 from
var aspNetRegex = /(\-)?(?:(\d*)[. ])?(\d+)\:(\d+)(?:\:(\d+)\.?(\d{3})?)?/;to
var aspNetRegex = /^(\-)?(?:(\d*)[. ])?(\d+)\:(\d+)(?:\:(\d+)\.?(\d{3})?(?:\d*)?)?$/;Step up your Open Source Security Game with WhiteSource here
The text was updated successfully, but these errors were encountered: