Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js. https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5 https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4
Cockpit stopped using moment.js in version 249 (https://github.com/cockpit-project/cockpit/commit/fd270ee36b078b was the latest one for the conversion), cockpit-podman did that in version 33 (https://github.com/cockpit-project/cockpit-podman/commit/83b79332b64f1), c-machines in version 248 (https://github.com/cockpit-project/cockpit-machines/commit/6705c23e2f3f6ef). So RHEL 8.5/8.6/9.0 are not affected at all. cockpit-composer apparently never used moment.js. Cockpit in RHEL 7.9 still uses moment.js, and calls `moment.locale(cockpit.language)`. The user does not have arbitrary control over that, it is parsed from the existing po.LL.js headers, which are under cockpit source code control. And even then, cockpit-ws does not allow path traversal beyond the user session privileges that the user has anyway. So I am confident that this issue does not affect anything in the cockpit-* family.
Created cockpit tracking bugs for this issue: Affects: fedora-34 [bug 2075269] Affects: fedora-35 [bug 2075285] Affects: fedora-all [bug 2075252] Created cockpit-composer tracking bugs for this issue: Affects: fedora-34 [bug 2075270] Affects: fedora-35 [bug 2075287] Affects: fedora-all [bug 2075254] Created cockpit-ostree tracking bugs for this issue: Affects: fedora-34 [bug 2075271] Affects: fedora-all [bug 2075255] Created cockpit-session-recording tracking bugs for this issue: Affects: fedora-34 [bug 2075272] Affects: fedora-35 [bug 2075289] Affects: fedora-all [bug 2075256] Created couchdb tracking bugs for this issue: Affects: fedora-34 [bug 2075273] Affects: fedora-35 [bug 2075292] Affects: fedora-all [bug 2075257] Created golang-github-apache-beam-2 tracking bugs for this issue: Affects: fedora-34 [bug 2075274] Affects: fedora-35 [bug 2075295] Affects: fedora-all [bug 2075258] Created golang-github-cockroachdb-cockroach tracking bugs for this issue: Affects: fedora-35 [bug 2075297] Affects: fedora-all [bug 2075259] Created golang-github-prometheus tracking bugs for this issue: Affects: epel-7 [bug 2075267] Affects: epel-all [bug 2075253] Created grafana tracking bugs for this issue: Affects: fedora-34 [bug 2075275] Affects: fedora-35 [bug 2075299] Affects: fedora-all [bug 2075260] Created openvas-gsa tracking bugs for this issue: Affects: fedora-34 [bug 2075277] Affects: fedora-all [bug 2075261] Created python-ipyparallel tracking bugs for this issue: Affects: fedora-35 [bug 2075301] Affects: fedora-all [bug 2075262] Created python-notebook tracking bugs for this issue: Affects: fedora-all [bug 2075263] Created qpid-dispatch tracking bugs for this issue: Affects: openstack-rdo [bug 2075266] Created syncthing tracking bugs for this issue: Affects: epel-8 [bug 2075268] Affects: fedora-34 [bug 2075279] Affects: fedora-35 [bug 2075302] Created workrave tracking bugs for this issue: Affects: fedora-34 [bug 2075281] Affects: fedora-35 [bug 2075304] Affects: fedora-all [bug 2075264] Created zuul tracking bugs for this issue: Affects: fedora-34 [bug 2075283] Affects: fedora-35 [bug 2075306] Affects: fedora-all [bug 2075265]
Created cockpit tracking bugs for this issue: Affects: fedora-34 [bug 2075310] Affects: fedora-35 [bug 2075322] Affects: fedora-all [bug 2075276] Created cockpit-composer tracking bugs for this issue: Affects: fedora-34 [bug 2075311] Affects: fedora-35 [bug 2075323] Affects: fedora-all [bug 2075280] Created cockpit-ostree tracking bugs for this issue: Affects: fedora-34 [bug 2075312] Affects: fedora-all [bug 2075282] Created cockpit-session-recording tracking bugs for this issue: Affects: fedora-34 [bug 2075313] Affects: fedora-35 [bug 2075324] Affects: fedora-all [bug 2075284] Created couchdb tracking bugs for this issue: Affects: fedora-34 [bug 2075315] Affects: fedora-35 [bug 2075325] Affects: fedora-all [bug 2075286] Created golang-github-apache-beam-2 tracking bugs for this issue: Affects: fedora-34 [bug 2075316] Affects: fedora-35 [bug 2075326] Affects: fedora-all [bug 2075288] Created golang-github-cockroachdb-cockroach tracking bugs for this issue: Affects: fedora-35 [bug 2075327] Affects: fedora-all [bug 2075290] Created golang-github-prometheus tracking bugs for this issue: Affects: epel-7 [bug 2075308] Affects: epel-all [bug 2075278] Created grafana tracking bugs for this issue: Affects: fedora-34 [bug 2075317] Affects: fedora-35 [bug 2075328] Affects: fedora-all [bug 2075293] Created openvas-gsa tracking bugs for this issue: Affects: fedora-34 [bug 2075318] Affects: fedora-all [bug 2075296] Created python-ipyparallel tracking bugs for this issue: Affects: fedora-35 [bug 2075329] Affects: fedora-all [bug 2075298] Created python-notebook tracking bugs for this issue: Affects: fedora-all [bug 2075300] Created qpid-dispatch tracking bugs for this issue: Affects: openstack-rdo [bug 2075307] Created syncthing tracking bugs for this issue: Affects: epel-8 [bug 2075309] Affects: fedora-34 [bug 2075319] Affects: fedora-35 [bug 2075330] Created workrave tracking bugs for this issue: Affects: fedora-34 [bug 2075320] Affects: fedora-35 [bug 2075331] Affects: fedora-all [bug 2075303] Created zuul tracking bugs for this issue: Affects: fedora-34 [bug 2075321] Affects: fedora-35 [bug 2075332] Affects: fedora-all [bug 2075305]
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8 Via RHSA-2022:1681 https://access.redhat.com/errata/RHSA-2022:1681
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7 Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8 Via RHSA-2022:1715 https://access.redhat.com/errata/RHSA-2022:1715
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-24785
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2022:4922 https://access.redhat.com/errata/RHSA-2022:4922
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Via RHSA-2022:4918 https://access.redhat.com/errata/RHSA-2022:4918
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Via RHSA-2022:4919 https://access.redhat.com/errata/RHSA-2022:4919
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8 Via RHSA-2022:4956 https://access.redhat.com/errata/RHSA-2022:4956
This issue has been addressed in the following products: OpenShift Service Mesh 2.1 Via RHSA-2022:5006 https://access.redhat.com/errata/RHSA-2022:5006
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8 Via RHSA-2022:5201 https://access.redhat.com/errata/RHSA-2022:5201
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8 Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7 Via RHSA-2022:5392 https://access.redhat.com/errata/RHSA-2022:5392
This issue has been addressed in the following products: Red Hat OpenShift Data Foundation 4.11 on RHEL8 Via RHSA-2022:6156 https://access.redhat.com/errata/RHSA-2022:6156
This issue has been addressed in the following products: OpenShift Service Mesh 2.0 Via RHSA-2022:6272 https://access.redhat.com/errata/RHSA-2022:6272
This issue has been addressed in the following products: OpenShift Service Mesh 2.1 Via RHSA-2022:6277 https://access.redhat.com/errata/RHSA-2022:6277
This issue has been addressed in the following products: RHPAM 7.13.1 async Via RHSA-2022:6813 https://access.redhat.com/errata/RHSA-2022:6813
This issue has been addressed in the following products: Red Hat Openshift distributed tracing 2.6 Via RHSA-2022:7055 https://access.redhat.com/errata/RHSA-2022:7055
This issue has been addressed in the following products: Red Hat Fuse 7.11.1 Via RHSA-2022:8652 https://access.redhat.com/errata/RHSA-2022:8652
This issue has been addressed in the following products: Red Hat Ceph Storage 5.3 Via RHSA-2023:0076 https://access.redhat.com/errata/RHSA-2023:0076
This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 7 Via RHSA-2023:1043 https://access.redhat.com/errata/RHSA-2023:1043
This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 8 Via RHSA-2023:1044 https://access.redhat.com/errata/RHSA-2023:1044
This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 9 Via RHSA-2023:1045 https://access.redhat.com/errata/RHSA-2023:1045
This issue has been addressed in the following products: RHEL-8 based Middleware Containers Via RHSA-2023:1047 https://access.redhat.com/errata/RHSA-2023:1047
This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2023:1049 https://access.redhat.com/errata/RHSA-2023:1049
This issue has been addressed in the following products: Red Hat Ceph Storage 6.1 Via RHSA-2023:3642 https://access.redhat.com/errata/RHSA-2023:3642
This issue has been addressed in the following products: Red Hat Fuse 7.12 Via RHSA-2023:3954 https://access.redhat.com/errata/RHSA-2023:3954