CVE-2022-31129 HIGH Severity Vulnerability #2173
Assignees
Labels
bug
Something isn't working
cve
Security vulnerabilities detected by Dependabot or Mend
high severity
High severity CVE
Comments
seraphjiang
added
bug
|
Look like this was fixed here: #1931 |
|
Fixed in main. and 2.x, need backport to 1.x |
|
backport to 1.x #2194 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.
OpenSearch Dashboards use 2.24.0, which is impacted. Expected to upgrade to 2.29.4 for ix
Additional Details
https://nvd.nist.gov/vuln/detail/CVE-2022-31129
The text was updated successfully, but these errors were encountered: