Bug 2072009 (CVE-2022-24785) - CVE-2022-24785 Moment.js: Path traversal in moment.locale
Summary: CVE-2022-24785 Moment.js: Path traversal in moment.locale
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-24785
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2075253 2075267 2075278 2075308 2072837 2072944 2072945 2072946 2072947 2072948 2072949 2072950 2072951 2072952 2072953 2072954 2073996 2075252 2075254 2075255 2075256 2075257 2075258 2075259 2075260 2075261 2075262 2075263 2075264 2075265 2075266 2075268 2075269 2075270 2075271 2075272 2075273 2075274 2075275 2075276 2075277 2075279 2075280 2075281 2075282 2075283 2075284 2075285 2075286 2075287 2075288 2075289 2075290 2075291 2075292 2075293 2075294 2075295 2075296 2075297 2075298 2075299 2075300 2075301 2075302 2075303 2075304 2075305 2075306 2075307 2075309 2075310 2075311 2075312 2075313 2075314 2075315 2075316 2075317 2075318 2075319 2075320 2075321 2075322 2075323 2075324 2075325 2075326 2075327 2075328 2075329 2075330 2075331 2075332 2076839 2076840 2077628 2077700 2077706 2078007 2079699 2080407 2080408 2080409 2080410 2080506 2080508 2080510 2085278 2087668
Blocks: 2072047
TreeView+ depends on / blocked
 
Reported: 2022-04-05 12:05 UTC by Vipul Nair
Modified: 2024-03-20 10:33 UTC (History)
152 users (show)

Fixed In Version: moment v 2.29.2
Doc Type: If docs needed, set a value
Doc Text:
A path traversal vulnerability was found in Moment.js that impacts npm (server) users. This issue occurs if a user-provided locale string is directly used to switch moment locale, which an attacker can exploit to change the correct path to one of their choice. This can result in a loss of integrity.
Clone Of:
Environment:
Last Closed: 2022-05-05 09:45:26 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:1681 0 None None None 2022-05-03 16:44:00 UTC
Red Hat Product Errata RHSA-2022:1715 0 None None None 2022-05-05 02:39:20 UTC
Red Hat Product Errata RHSA-2022:4918 0 None None None 2022-06-06 15:52:54 UTC
Red Hat Product Errata RHSA-2022:4919 0 None None None 2022-06-06 15:59:23 UTC
Red Hat Product Errata RHSA-2022:4922 0 None None None 2022-06-06 15:12:37 UTC
Red Hat Product Errata RHSA-2022:4956 0 None None None 2022-06-09 02:06:52 UTC
Red Hat Product Errata RHSA-2022:5006 0 None None None 2022-06-13 12:44:12 UTC
Red Hat Product Errata RHSA-2022:5201 0 None None None 2022-06-27 17:03:45 UTC
Red Hat Product Errata RHSA-2022:5392 0 None None None 2022-06-28 17:06:20 UTC
Red Hat Product Errata RHSA-2022:6156 0 None None None 2022-08-24 13:47:29 UTC
Red Hat Product Errata RHSA-2022:6272 0 None None None 2022-08-31 14:57:48 UTC
Red Hat Product Errata RHSA-2022:6277 0 None None None 2022-08-31 16:55:34 UTC
Red Hat Product Errata RHSA-2022:6813 0 None None None 2022-10-05 10:46:18 UTC
Red Hat Product Errata RHSA-2022:7055 0 None None None 2022-10-19 12:57:15 UTC
Red Hat Product Errata RHSA-2022:8652 0 None None None 2022-11-28 14:39:43 UTC
Red Hat Product Errata RHSA-2023:0076 0 None None None 2023-01-11 17:38:57 UTC
Red Hat Product Errata RHSA-2023:1043 0 None None None 2023-03-01 21:42:52 UTC
Red Hat Product Errata RHSA-2023:1044 0 None None None 2023-03-01 21:45:16 UTC
Red Hat Product Errata RHSA-2023:1045 0 None None None 2023-03-01 21:47:51 UTC
Red Hat Product Errata RHSA-2023:1047 0 None None None 2023-03-01 21:50:37 UTC
Red Hat Product Errata RHSA-2023:1049 0 None None None 2023-03-01 21:58:46 UTC
Red Hat Product Errata RHSA-2023:3642 0 None None None 2023-06-15 15:59:51 UTC
Red Hat Product Errata RHSA-2023:3954 0 None None None 2023-06-29 20:07:36 UTC

Description Vipul Nair 2022-04-05 12:05:48 UTC 
Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.

https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5
https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4
Comment 1 Martin Pitt 2022-04-05 12:59:42 UTC 
Cockpit stopped using moment.js in version 249 (https://github.com/cockpit-project/cockpit/commit/fd270ee36b078b was the latest one for the conversion), cockpit-podman did that in version 33 (https://github.com/cockpit-project/cockpit-podman/commit/83b79332b64f1), c-machines in version 248 (https://github.com/cockpit-project/cockpit-machines/commit/6705c23e2f3f6ef). So RHEL 8.5/8.6/9.0 are not affected at all. cockpit-composer apparently never used moment.js.

Cockpit in RHEL 7.9 still uses moment.js, and calls `moment.locale(cockpit.language)`. The user does not have arbitrary control over that, it is parsed from the existing po.LL.js headers, which are under cockpit source code control. And even then, cockpit-ws does not allow path traversal beyond the user session privileges that the user has anyway. So I am confident that this issue does not affect anything in the cockpit-* family.
Comment 10 Anten Skrabec 2022-04-13 21:59:03 UTC 
Created cockpit tracking bugs for this issue:

Affects: fedora-34 [bug 2075269]
Affects: fedora-35 [bug 2075285]
Affects: fedora-all [bug 2075252]


Created cockpit-composer tracking bugs for this issue:

Affects: fedora-34 [bug 2075270]
Affects: fedora-35 [bug 2075287]
Affects: fedora-all [bug 2075254]


Created cockpit-ostree tracking bugs for this issue:

Affects: fedora-34 [bug 2075271]
Affects: fedora-all [bug 2075255]


Created cockpit-session-recording tracking bugs for this issue:

Affects: fedora-34 [bug 2075272]
Affects: fedora-35 [bug 2075289]
Affects: fedora-all [bug 2075256]


Created couchdb tracking bugs for this issue:

Affects: fedora-34 [bug 2075273]
Affects: fedora-35 [bug 2075292]
Affects: fedora-all [bug 2075257]


Created golang-github-apache-beam-2 tracking bugs for this issue:

Affects: fedora-34 [bug 2075274]
Affects: fedora-35 [bug 2075295]
Affects: fedora-all [bug 2075258]


Created golang-github-cockroachdb-cockroach tracking bugs for this issue:

Affects: fedora-35 [bug 2075297]
Affects: fedora-all [bug 2075259]


Created golang-github-prometheus tracking bugs for this issue:

Affects: epel-7 [bug 2075267]
Affects: epel-all [bug 2075253]


Created grafana tracking bugs for this issue:

Affects: fedora-34 [bug 2075275]
Affects: fedora-35 [bug 2075299]
Affects: fedora-all [bug 2075260]


Created openvas-gsa tracking bugs for this issue:

Affects: fedora-34 [bug 2075277]
Affects: fedora-all [bug 2075261]


Created python-ipyparallel tracking bugs for this issue:

Affects: fedora-35 [bug 2075301]
Affects: fedora-all [bug 2075262]


Created python-notebook tracking bugs for this issue:

Affects: fedora-all [bug 2075263]


Created qpid-dispatch tracking bugs for this issue:

Affects: openstack-rdo [bug 2075266]


Created syncthing tracking bugs for this issue:

Affects: epel-8 [bug 2075268]
Affects: fedora-34 [bug 2075279]
Affects: fedora-35 [bug 2075302]


Created workrave tracking bugs for this issue:

Affects: fedora-34 [bug 2075281]
Affects: fedora-35 [bug 2075304]
Affects: fedora-all [bug 2075264]


Created zuul tracking bugs for this issue:

Affects: fedora-34 [bug 2075283]
Affects: fedora-35 [bug 2075306]
Affects: fedora-all [bug 2075265]
Comment 11 Anten Skrabec 2022-04-13 22:00:27 UTC 
Created cockpit tracking bugs for this issue:

Affects: fedora-34 [bug 2075310]
Affects: fedora-35 [bug 2075322]
Affects: fedora-all [bug 2075276]


Created cockpit-composer tracking bugs for this issue:

Affects: fedora-34 [bug 2075311]
Affects: fedora-35 [bug 2075323]
Affects: fedora-all [bug 2075280]


Created cockpit-ostree tracking bugs for this issue:

Affects: fedora-34 [bug 2075312]
Affects: fedora-all [bug 2075282]


Created cockpit-session-recording tracking bugs for this issue:

Affects: fedora-34 [bug 2075313]
Affects: fedora-35 [bug 2075324]
Affects: fedora-all [bug 2075284]


Created couchdb tracking bugs for this issue:

Affects: fedora-34 [bug 2075315]
Affects: fedora-35 [bug 2075325]
Affects: fedora-all [bug 2075286]


Created golang-github-apache-beam-2 tracking bugs for this issue:

Affects: fedora-34 [bug 2075316]
Affects: fedora-35 [bug 2075326]
Affects: fedora-all [bug 2075288]


Created golang-github-cockroachdb-cockroach tracking bugs for this issue:

Affects: fedora-35 [bug 2075327]
Affects: fedora-all [bug 2075290]


Created golang-github-prometheus tracking bugs for this issue:

Affects: epel-7 [bug 2075308]
Affects: epel-all [bug 2075278]


Created grafana tracking bugs for this issue:

Affects: fedora-34 [bug 2075317]
Affects: fedora-35 [bug 2075328]
Affects: fedora-all [bug 2075293]


Created openvas-gsa tracking bugs for this issue:

Affects: fedora-34 [bug 2075318]
Affects: fedora-all [bug 2075296]


Created python-ipyparallel tracking bugs for this issue:

Affects: fedora-35 [bug 2075329]
Affects: fedora-all [bug 2075298]


Created python-notebook tracking bugs for this issue:

Affects: fedora-all [bug 2075300]


Created qpid-dispatch tracking bugs for this issue:

Affects: openstack-rdo [bug 2075307]


Created syncthing tracking bugs for this issue:

Affects: epel-8 [bug 2075309]
Affects: fedora-34 [bug 2075319]
Affects: fedora-35 [bug 2075330]


Created workrave tracking bugs for this issue:

Affects: fedora-34 [bug 2075320]
Affects: fedora-35 [bug 2075331]
Affects: fedora-all [bug 2075303]


Created zuul tracking bugs for this issue:

Affects: fedora-34 [bug 2075321]
Affects: fedora-35 [bug 2075332]
Affects: fedora-all [bug 2075305]
Comment 18 errata-xmlrpc 2022-05-03 16:43:53 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8

Via RHSA-2022:1681 https://access.redhat.com/errata/RHSA-2022:1681
Comment 19 errata-xmlrpc 2022-05-05 02:39:12 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7
  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8

Via RHSA-2022:1715 https://access.redhat.com/errata/RHSA-2022:1715
Comment 20 Product Security DevOps Team 2022-05-05 09:45:17 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-24785
Comment 22 errata-xmlrpc 2022-06-06 15:12:29 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2022:4922 https://access.redhat.com/errata/RHSA-2022:4922
Comment 23 errata-xmlrpc 2022-06-06 15:52:46 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2022:4918 https://access.redhat.com/errata/RHSA-2022:4918
Comment 24 errata-xmlrpc 2022-06-06 15:59:17 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2022:4919 https://access.redhat.com/errata/RHSA-2022:4919
Comment 25 errata-xmlrpc 2022-06-09 02:06:45 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8

Via RHSA-2022:4956 https://access.redhat.com/errata/RHSA-2022:4956
Comment 26 errata-xmlrpc 2022-06-13 12:44:04 UTC 
This issue has been addressed in the following products:

  OpenShift Service Mesh 2.1

Via RHSA-2022:5006 https://access.redhat.com/errata/RHSA-2022:5006
Comment 27 errata-xmlrpc 2022-06-27 17:03:38 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8

Via RHSA-2022:5201 https://access.redhat.com/errata/RHSA-2022:5201
Comment 28 errata-xmlrpc 2022-06-28 17:06:13 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8
  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7

Via RHSA-2022:5392 https://access.redhat.com/errata/RHSA-2022:5392
Comment 29 errata-xmlrpc 2022-08-24 13:47:24 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Data Foundation 4.11 on RHEL8

Via RHSA-2022:6156 https://access.redhat.com/errata/RHSA-2022:6156
Comment 30 errata-xmlrpc 2022-08-31 14:57:43 UTC 
This issue has been addressed in the following products:

  OpenShift Service Mesh 2.0

Via RHSA-2022:6272 https://access.redhat.com/errata/RHSA-2022:6272
Comment 31 errata-xmlrpc 2022-08-31 16:55:26 UTC 
This issue has been addressed in the following products:

  OpenShift Service Mesh 2.1

Via RHSA-2022:6277 https://access.redhat.com/errata/RHSA-2022:6277
Comment 32 errata-xmlrpc 2022-10-05 10:46:10 UTC 
This issue has been addressed in the following products:

  RHPAM 7.13.1 async

Via RHSA-2022:6813 https://access.redhat.com/errata/RHSA-2022:6813
Comment 33 errata-xmlrpc 2022-10-19 12:57:05 UTC 
This issue has been addressed in the following products:

  Red Hat Openshift distributed tracing 2.6

Via RHSA-2022:7055 https://access.redhat.com/errata/RHSA-2022:7055
Comment 34 errata-xmlrpc 2022-11-28 14:39:38 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.11.1

Via RHSA-2022:8652 https://access.redhat.com/errata/RHSA-2022:8652
Comment 35 errata-xmlrpc 2023-01-11 17:38:51 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 5.3

Via RHSA-2023:0076 https://access.redhat.com/errata/RHSA-2023:0076
Comment 36 errata-xmlrpc 2023-03-01 21:42:47 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 7

Via RHSA-2023:1043 https://access.redhat.com/errata/RHSA-2023:1043
Comment 37 errata-xmlrpc 2023-03-01 21:45:11 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 8

Via RHSA-2023:1044 https://access.redhat.com/errata/RHSA-2023:1044
Comment 38 errata-xmlrpc 2023-03-01 21:47:44 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 9

Via RHSA-2023:1045 https://access.redhat.com/errata/RHSA-2023:1045
Comment 39 errata-xmlrpc 2023-03-01 21:50:30 UTC 
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2023:1047 https://access.redhat.com/errata/RHSA-2023:1047
Comment 40 errata-xmlrpc 2023-03-01 21:58:39 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2023:1049 https://access.redhat.com/errata/RHSA-2023:1049
Comment 41 errata-xmlrpc 2023-06-15 15:59:44 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 6.1

Via RHSA-2023:3642 https://access.redhat.com/errata/RHSA-2023:3642
Comment 42 errata-xmlrpc 2023-06-29 20:07:30 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.12

Via RHSA-2023:3954 https://access.redhat.com/errata/RHSA-2023:3954
Note You need to log in before you can comment on or make changes to this bug.