#VU11300 Resource exhaustion in Moment


Published: 2018-03-28

Vulnerability identifier: #VU11300

Vulnerability risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-18214

CWE-ID: CWE-400

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Moment
Web applications / JS libraries

Vendor: Moment.js

Description
The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.

The weakness exists due to resource exhaustion. A remote attacker can submit a specially crafted data string and cause the service to crash.

Mitigation
Update to version 2.19.3.

Vulnerable software versions

Moment: 2.18.0 - 2.19.2

External links
http://github.com/moment/moment/issues/4163

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Business Automation Manager Open Editions
Multiple vulnerabilities in IBM Jazz Reporting Service
Multiple vulnerabilities in JBoss Enterprise Application Platform 7.4 for RHEL 9
Multiple vulnerabilities in JBoss Enterprise Application Platform 7.4 for RHEL 8
Multiple vulnerabilities in JBoss Enterprise Application Platform 7.4 for RHEL 7
Multiple vulnerabilities in Red Hat JBoss Enterprise Application Platform 7.4
Multiple vulnerabilities in IBM QRadar DNS Analyzer App
Multiple vulnerabilities in Mitsubishi Electric EcoWebServerIII
Denial of service in Moment module for Node.js