Bug 2072009 (CVE-2022-24785)
| Summary: | CVE-2022-24785 Moment.js: Path traversal in moment.locale | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vipul Nair <vinair> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aboyko, afm404, agerstmayr, aileenc, akostadi, alazarot, alcohan, amackenz, amasferr, amctagga, amuller, anjoseph, anpicker, anstephe, aoconnor, aos-bugs, asoldano, aveerama, bbaranow, bbuckingham, bcourt, bdettelb, bmaxwell, bmontgom, bniver, boliveir, brian.stansberry, btotty, cbartlet, cdewolf, chazlett, cheese, cmiranda, darran.lofthouse, dhanak, dkreling, dmayorov, doconnor, dosoudil, dperpeet, drichtar, drieden, ecerquei, eclipseo, eglynn, ehelms, emingora, eparis, eric.wittmann, erooth, etamir, etirelli, extras-orphan, fboucher, fjuma, flucifre, fmongiar, ggainey, gmalinko, gmeno, go-sig, gparvin, grafana-maint, hbraun, huzaifas, ibek, istudens, ivassile, iweiss, janstey, jburrell, jhadvig, jjoyce, jkoops, jkozol, jkurik, jlledo, jnethert, jochrist, jokerman, jprabhak, jramanat, jrokos, jschatte, jschluet, jshaughn, jsherril, jstastny, jstephen, juwatts, jwendell, jwon, krathod, ksurma, kverlaen, lchilton, ldap-maint, lemenkov, lgao, lhh, lsvaty, lzap, madam, mail, manissin, mattias.ellert, mbenjamin, mburns, mgarciac, mgoodwin, mhackett, mhulan, michal.skrivanek, mkudlej, mmakovy, mmarusak, mmccune, mnovotny, mosmerov, mperina, mpitt, msochure, msvehla, muagarwa, mwringe, myarboro, nathans, nbecker, nipatil, njean, nmoumoul, nobody, nonamedotc, nstielau, nwallace, ocs-bugs, omachace, openstack-sig, orabin, ovanders, owatkins, pabelanger, pahickey, pantinor, patrick, pcongius, pcreech, pdelbell, pdrozd, peholase, pesilva, pgrist, pjindal, ploffay, pmackay, porcelli, pskopek, pvolpe, python-sig, rareddy, rcernich, rchan, rebus, rguimara, rhaigner, rhos-maint, rkubis, rmartinc, rowaters, rrajasek, rstancel, rstepani, rsvoboda, sbonazzo, scorneli, sfeifer, smaestri, smallamp, sostapov, spasquie, sponnaga, spoore, spower, stcannon, stefw, sthorger, stjepan.gros, teagle, tjochec, tm, tom.jenkinson, twalsh, tzimanyi, vereddy, wtam, xavier |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | moment v 2.29.2 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A path traversal vulnerability was found in Moment.js that impacts npm (server) users. This issue occurs if a user-provided locale string is directly used to switch moment locale, which an attacker can exploit to change the correct path to one of their choice. This can result in a loss of integrity.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-05-05 09:45:26 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2075253, 2075278, 2072837, 2072944, 2072945, 2072946, 2072947, 2072948, 2072949, 2072950, 2072951, 2072952, 2072953, 2072954, 2073996, 2075252, 2075254, 2075255, 2075256, 2075257, 2075258, 2075259, 2075260, 2075261, 2075262, 2075263, 2075264, 2075265, 2075266, 2075267, 2075268, 2075269, 2075270, 2075271, 2075272, 2075273, 2075274, 2075275, 2075276, 2075277, 2075279, 2075280, 2075281, 2075282, 2075283, 2075284, 2075285, 2075286, 2075287, 2075288, 2075289, 2075290, 2075291, 2075292, 2075293, 2075294, 2075295, 2075296, 2075297, 2075298, 2075299, 2075300, 2075301, 2075302, 2075303, 2075304, 2075305, 2075306, 2075307, 2075308, 2075309, 2075310, 2075311, 2075312, 2075313, 2075314, 2075315, 2075316, 2075317, 2075318, 2075319, 2075320, 2075321, 2075322, 2075323, 2075324, 2075325, 2075326, 2075327, 2075328, 2075329, 2075330, 2075331, 2075332, 2076839, 2076840, 2077628, 2077700, 2077706, 2078007, 2079699, 2080407, 2080408, 2080409, 2080410, 2080506, 2080508, 2080510, 2085278, 2087668 | ||
| Bug Blocks: | 2072047 | ||
|
Description
Vipul Nair
2022-04-05 12:05:48 UTC
Cockpit stopped using moment.js in version 249 (https://github.com/cockpit-project/cockpit/commit/fd270ee36b078b was the latest one for the conversion), cockpit-podman did that in version 33 (https://github.com/cockpit-project/cockpit-podman/commit/83b79332b64f1), c-machines in version 248 (https://github.com/cockpit-project/cockpit-machines/commit/6705c23e2f3f6ef). So RHEL 8.5/8.6/9.0 are not affected at all. cockpit-composer apparently never used moment.js. Cockpit in RHEL 7.9 still uses moment.js, and calls `moment.locale(cockpit.language)`. The user does not have arbitrary control over that, it is parsed from the existing po.LL.js headers, which are under cockpit source code control. And even then, cockpit-ws does not allow path traversal beyond the user session privileges that the user has anyway. So I am confident that this issue does not affect anything in the cockpit-* family. Created cockpit tracking bugs for this issue: Affects: fedora-34 [bug 2075269] Affects: fedora-35 [bug 2075285] Affects: fedora-all [bug 2075252] Created cockpit-composer tracking bugs for this issue: Affects: fedora-34 [bug 2075270] Affects: fedora-35 [bug 2075287] Affects: fedora-all [bug 2075254] Created cockpit-ostree tracking bugs for this issue: Affects: fedora-34 [bug 2075271] Affects: fedora-all [bug 2075255] Created cockpit-session-recording tracking bugs for this issue: Affects: fedora-34 [bug 2075272] Affects: fedora-35 [bug 2075289] Affects: fedora-all [bug 2075256] Created couchdb tracking bugs for this issue: Affects: fedora-34 [bug 2075273] Affects: fedora-35 [bug 2075292] Affects: fedora-all [bug 2075257] Created golang-github-apache-beam-2 tracking bugs for this issue: Affects: fedora-34 [bug 2075274] Affects: fedora-35 [bug 2075295] Affects: fedora-all [bug 2075258] Created golang-github-cockroachdb-cockroach tracking bugs for this issue: Affects: fedora-35 [bug 2075297] Affects: fedora-all [bug 2075259] Created golang-github-prometheus tracking bugs for this issue: Affects: epel-7 [bug 2075267] Affects: epel-all [bug 2075253] Created grafana tracking bugs for this issue: Affects: fedora-34 [bug 2075275] Affects: fedora-35 [bug 2075299] Affects: fedora-all [bug 2075260] Created openvas-gsa tracking bugs for this issue: Affects: fedora-34 [bug 2075277] Affects: fedora-all [bug 2075261] Created python-ipyparallel tracking bugs for this issue: Affects: fedora-35 [bug 2075301] Affects: fedora-all [bug 2075262] Created python-notebook tracking bugs for this issue: Affects: fedora-all [bug 2075263] Created qpid-dispatch tracking bugs for this issue: Affects: openstack-rdo [bug 2075266] Created syncthing tracking bugs for this issue: Affects: epel-8 [bug 2075268] Affects: fedora-34 [bug 2075279] Affects: fedora-35 [bug 2075302] Created workrave tracking bugs for this issue: Affects: fedora-34 [bug 2075281] Affects: fedora-35 [bug 2075304] Affects: fedora-all [bug 2075264] Created zuul tracking bugs for this issue: Affects: fedora-34 [bug 2075283] Affects: fedora-35 [bug 2075306] Affects: fedora-all [bug 2075265] Created cockpit tracking bugs for this issue: Affects: fedora-34 [bug 2075310] Affects: fedora-35 [bug 2075322] Affects: fedora-all [bug 2075276] Created cockpit-composer tracking bugs for this issue: Affects: fedora-34 [bug 2075311] Affects: fedora-35 [bug 2075323] Affects: fedora-all [bug 2075280] Created cockpit-ostree tracking bugs for this issue: Affects: fedora-34 [bug 2075312] Affects: fedora-all [bug 2075282] Created cockpit-session-recording tracking bugs for this issue: Affects: fedora-34 [bug 2075313] Affects: fedora-35 [bug 2075324] Affects: fedora-all [bug 2075284] Created couchdb tracking bugs for this issue: Affects: fedora-34 [bug 2075315] Affects: fedora-35 [bug 2075325] Affects: fedora-all [bug 2075286] Created golang-github-apache-beam-2 tracking bugs for this issue: Affects: fedora-34 [bug 2075316] Affects: fedora-35 [bug 2075326] Affects: fedora-all [bug 2075288] Created golang-github-cockroachdb-cockroach tracking bugs for this issue: Affects: fedora-35 [bug 2075327] Affects: fedora-all [bug 2075290] Created golang-github-prometheus tracking bugs for this issue: Affects: epel-7 [bug 2075308] Affects: epel-all [bug 2075278] Created grafana tracking bugs for this issue: Affects: fedora-34 [bug 2075317] Affects: fedora-35 [bug 2075328] Affects: fedora-all [bug 2075293] Created openvas-gsa tracking bugs for this issue: Affects: fedora-34 [bug 2075318] Affects: fedora-all [bug 2075296] Created python-ipyparallel tracking bugs for this issue: Affects: fedora-35 [bug 2075329] Affects: fedora-all [bug 2075298] Created python-notebook tracking bugs for this issue: Affects: fedora-all [bug 2075300] Created qpid-dispatch tracking bugs for this issue: Affects: openstack-rdo [bug 2075307] Created syncthing tracking bugs for this issue: Affects: epel-8 [bug 2075309] Affects: fedora-34 [bug 2075319] Affects: fedora-35 [bug 2075330] Created workrave tracking bugs for this issue: Affects: fedora-34 [bug 2075320] Affects: fedora-35 [bug 2075331] Affects: fedora-all [bug 2075303] Created zuul tracking bugs for this issue: Affects: fedora-34 [bug 2075321] Affects: fedora-35 [bug 2075332] Affects: fedora-all [bug 2075305] This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8 Via RHSA-2022:1681 https://access.redhat.com/errata/RHSA-2022:1681 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7 Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8 Via RHSA-2022:1715 https://access.redhat.com/errata/RHSA-2022:1715 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-24785 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2022:4922 https://access.redhat.com/errata/RHSA-2022:4922 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Via RHSA-2022:4918 https://access.redhat.com/errata/RHSA-2022:4918 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Via RHSA-2022:4919 https://access.redhat.com/errata/RHSA-2022:4919 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8 Via RHSA-2022:4956 https://access.redhat.com/errata/RHSA-2022:4956 This issue has been addressed in the following products: OpenShift Service Mesh 2.1 Via RHSA-2022:5006 https://access.redhat.com/errata/RHSA-2022:5006 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8 Via RHSA-2022:5201 https://access.redhat.com/errata/RHSA-2022:5201 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8 Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7 Via RHSA-2022:5392 https://access.redhat.com/errata/RHSA-2022:5392 This issue has been addressed in the following products: Red Hat OpenShift Data Foundation 4.11 on RHEL8 Via RHSA-2022:6156 https://access.redhat.com/errata/RHSA-2022:6156 This issue has been addressed in the following products: OpenShift Service Mesh 2.0 Via RHSA-2022:6272 https://access.redhat.com/errata/RHSA-2022:6272 This issue has been addressed in the following products: OpenShift Service Mesh 2.1 Via RHSA-2022:6277 https://access.redhat.com/errata/RHSA-2022:6277 This issue has been addressed in the following products: RHPAM 7.13.1 async Via RHSA-2022:6813 https://access.redhat.com/errata/RHSA-2022:6813 This issue has been addressed in the following products: Red Hat Openshift distributed tracing 2.6 Via RHSA-2022:7055 https://access.redhat.com/errata/RHSA-2022:7055 This issue has been addressed in the following products: Red Hat Fuse 7.11.1 Via RHSA-2022:8652 https://access.redhat.com/errata/RHSA-2022:8652 This issue has been addressed in the following products: Red Hat Ceph Storage 5.3 Via RHSA-2023:0076 https://access.redhat.com/errata/RHSA-2023:0076 This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 7 Via RHSA-2023:1043 https://access.redhat.com/errata/RHSA-2023:1043 This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 8 Via RHSA-2023:1044 https://access.redhat.com/errata/RHSA-2023:1044 This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 9 Via RHSA-2023:1045 https://access.redhat.com/errata/RHSA-2023:1045 This issue has been addressed in the following products: RHEL-8 based Middleware Containers Via RHSA-2023:1047 https://access.redhat.com/errata/RHSA-2023:1047 This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2023:1049 https://access.redhat.com/errata/RHSA-2023:1049 This issue has been addressed in the following products: Red Hat Ceph Storage 6.1 Via RHSA-2023:3642 https://access.redhat.com/errata/RHSA-2023:3642 This issue has been addressed in the following products: Red Hat Fuse 7.12 Via RHSA-2023:3954 https://access.redhat.com/errata/RHSA-2023:3954 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Via RHSA-2025:4226 https://access.redhat.com/errata/RHSA-2025:4226 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Via RHSA-2025:4437 https://access.redhat.com/errata/RHSA-2025:4437 |