[SECURITY VULNERABILITY] moment dependency | ww.wp.xz.cn

forboding-angel
(@forboding-angel)

8 years, 3 months ago

We found a potential security vulnerability in one of your dependencies.
The moment dependency defined in package-lock.json has a known moderate severity security vulnerability in version range < 2.19.3 and should be updated.

These dependencies have been defined in the manifest files, such as /backupwordpress/package-lock.json

https://nvd.nist.gov/vuln/detail/CVE-2017-18214

CVE-2017-18214 Detail

Description
The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.

Viewing 5 replies - 1 through 5 (of 5 total)

Thread Starter forboding-angel
(@forboding-angel)

8 years, 3 months ago

Forgot to mention that this was an aut-find thanks to github

Plugin Contributor Katrina “Kat” Moody
(@katmoody)

8 years, 3 months ago

Thanks for the head’s up – I’m pushing this through to our developers!
Kat

Plugin Contributor Katrina “Kat” Moody
(@katmoody)

8 years, 3 months ago

Just a heads’ up should anyone else run into this one – We will be packaging an update to these outdated libraries with a new update within the next week or two and that should address this potential security issue. Should anyone have further questions on this please feel free to respond here and we will reply as soon as we can!

Kat

Thread Starter forboding-angel
(@forboding-angel)

8 years, 2 months ago

You never released an update. It’s been a month.

David Anderson / Team Updraft
(@davidanderson)

7 years, 11 months ago

> The moment module before 2.19.3 for Node.js

N.B. A browser environment is *not* Node.js.

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘[SECURITY VULNERABILITY] moment dependency’ is closed to new replies.

5 replies
3 participants
Last reply from: David Anderson / Team Updraft
Last activity: 7 years, 11 months ago
Status: not resolved