Path traversal in Moment

#VU62463 Path traversal in Moment

Published: 2022-04-20

Vulnerability identifier: #VU62463

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-24785

CWE-ID: CWE-22

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Moment
Web applications / JS libraries

Vendor: Moment.js

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences within the npm version of Moment.js. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Moment: 1.0.1 - 2.29.1

External links
http://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5
http://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Watson Machine Learning Accelerator on Cloud Pak for Data

IBM Cloud Pak System update for moment.js

Path traversal in IBM Storage Ceph

Multiple vulnerabilities in IBM Cloud Pak for Security (CP4S)

Multiple vulnerabilities in IBM Jazz Reporting Service

Multiple vulnerabilities in IBM VM Recovery Manager HA and DR GUI

Fedora 39 update for python-notebook

Multiple vulnerabilities in IBM Spectrum Discover

Multiple vulnerabilities in Red Hat Ceph Storage

Multiple vulnerabilities in IBM QRadar Deployment Intelligence App