WS-2016-0075 (Medium) detected in moment-2.13.0.min.js

[mend-for-github-com]

WS-2016-0075 - Medium Severity Vulnerability

Vulnerable Library - moment-2.13.0.min.js

Parse, validate, manipulate, and display dates

Library home page: https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.13.0/moment.min.js

Path to dependency file: /tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/chartjs-plugin-labels/bower_components/chart.js/samples/scales/time/line-point-data.html

Path to vulnerable library: /labs-air/uiupgrade/IoTCloudStarter/node_modules/chartjs-plugin-labels/bower_components/chart.js/samples/scales/time/line-point-data.html,/labs-air/ui/IoTCloudStarter/node_modules/chartjs-plugin-labels/bower_components/chart.js/samples/scales/time/combo.html

Dependency Hierarchy:

• ❌ moment-2.13.0.min.js (Vulnerable Library)

Found in HEAD commit: 2b36f19c6531f1a3964d83923e752838cd9d62cb

Vulnerability Details

Regular expression denial of service vulnerability in the moment package, by using a specific 40 characters long string in the "format" method.

Publish Date: 2016-10-24

URL: WS-2016-0075

CVSS 2 Score Details (5.8)

Base Score Metrics not available

Suggested Fix

Type: Change files

Origin: moment/moment@663f33e

Release Date: 2016-10-24

Fix Resolution: Replace or update the following files: month.js, lt.js