momentjs moment CVE-2022-24785 vulnerability in Momentjs and Other Products
Published on April 4, 2022

Path Traversal in Moment.js

product logo product logo product logo product logo product logo product logo
Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.

Github Repository Github Repository Vendor Advisory Vendor Advisory NVD

Vulnerability Analysis

CVE-2022-24785 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, a high impact on integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
HIGH
Availability Impact:
NONE

Weakness Types

What is a Directory traversal Vulnerability?

The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

CVE-2022-24785 has been classified to as a Directory traversal vulnerability or weakness.

Path Traversal: 'dir/../../filename'

The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize multiple internal "../" sequences that can resolve to a location that is outside of that directory.


Products Associated with CVE-2022-24785

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2022-24785 are published in these products:

Momentjs Moment
 
Tenable Sc
 
NetApp Active Iq
 
Fedora Project Fedora
 
Canonical Ubuntu Linux
 
Debian Linux
 

Affected Versions

moment Version >= 1.0.1, < 2.29.2 is affected by CVE-2022-24785

Vulnerable Packages

The following package name and versions may be associated with CVE-2022-24785

Package Manager Vulnerable Package Versions Fixed In
npm moment < 2.29.2 2.29.2
npm ghost >= 5.0.0, < 5.2.3 5.2.3
npm ghost < 4.48.2 4.48.2
nuget Moment.js < 2.29.2 2.29.2

Exploit Probability

EPSS
1.67%
Percentile
81.87%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.