csaf_redhat - rhsa-2022

rhsa-2022_6272

Vulnerability from csaf_redhat

Published

2022-08-31 15:00

Modified

2024-09-19 07:50

Summary

Red Hat Security Advisory: Red Hat OpenShift Service Mesh 2.0.11 security update

Notes

Topic

An update is now available for Red Hat OpenShift Service Mesh 2.0.11. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details

Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an OpenShift Container Platform installation. This advisory covers the RPM packages for the release. Security Fix(es): * moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129) * Moment.js: Path traversal in moment.locale (CVE-2022-24785) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update is now available for Red Hat OpenShift Service Mesh 2.0.11.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat OpenShift Service Mesh is Red Hat\u0027s distribution of the Istio service mesh project, tailored for installation into an OpenShift Container Platform installation.\n\nThis advisory covers the RPM packages for the release.\n\nSecurity Fix(es):\n\n* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)\n* Moment.js: Path traversal in moment.locale (CVE-2022-24785)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2022:6272",
        "url": "https://access.redhat.com/errata/RHSA-2022:6272"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "2072009",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072009"
      },
      {
        "category": "external",
        "summary": "2105075",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105075"
      },
      {
        "category": "external",
        "summary": "OSSM-1864",
        "url": "https://issues.redhat.com/browse/OSSM-1864"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://access.redhat.com/security/data/csaf/v2/advisories/2022/rhsa-2022_6272.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat OpenShift Service Mesh 2.0.11 security update",
    "tracking": {
      "current_release_date": "2024-09-19T07:50:53+00:00",
      "generator": {
        "date": "2024-09-19T07:50:53+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "3.33.3"
        }
      },
      "id": "RHSA-2022:6272",
      "initial_release_date": "2022-08-31T15:00:53+00:00",
      "revision_history": [
        {
          "date": "2022-08-31T15:00:53+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2022-08-31T15:00:53+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-09-19T07:50:53+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "OpenShift Service Mesh 2.0",
                "product": {
                  "name": "OpenShift Service Mesh 2.0",
                  "product_id": "8Base-OSSM-2.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:service_mesh:2.0::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenShift Service Mesh"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "servicemesh-cni-0:2.0.11-1.el8.src",
                "product": {
                  "name": "servicemesh-cni-0:2.0.11-1.el8.src",
                  "product_id": "servicemesh-cni-0:2.0.11-1.el8.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/servicemesh-cni@2.0.11-1.el8?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "servicemesh-prometheus-0:2.14.0-18.el8.1.src",
                "product": {
                  "name": "servicemesh-prometheus-0:2.14.0-18.el8.1.src",
                  "product_id": "servicemesh-prometheus-0:2.14.0-18.el8.1.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/servicemesh-prometheus@2.14.0-18.el8.1?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "servicemesh-0:2.0.11-1.el8.src",
                "product": {
                  "name": "servicemesh-0:2.0.11-1.el8.src",
                  "product_id": "servicemesh-0:2.0.11-1.el8.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/servicemesh@2.0.11-1.el8?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "servicemesh-operator-0:2.0.11-1.el8.src",
                "product": {
                  "name": "servicemesh-operator-0:2.0.11-1.el8.src",
                  "product_id": "servicemesh-operator-0:2.0.11-1.el8.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/servicemesh-operator@2.0.11-1.el8?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "servicemesh-proxy-0:2.0.11-1.el8.src",
                "product": {
                  "name": "servicemesh-proxy-0:2.0.11-1.el8.src",
                  "product_id": "servicemesh-proxy-0:2.0.11-1.el8.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/servicemesh-proxy@2.0.11-1.el8?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "servicemesh-cni-0:2.0.11-1.el8.x86_64",
                "product": {
                  "name": "servicemesh-cni-0:2.0.11-1.el8.x86_64",
                  "product_id": "servicemesh-cni-0:2.0.11-1.el8.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/servicemesh-cni@2.0.11-1.el8?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "servicemesh-prometheus-0:2.14.0-18.el8.1.x86_64",
                "product": {
                  "name": "servicemesh-prometheus-0:2.14.0-18.el8.1.x86_64",
                  "product_id": "servicemesh-prometheus-0:2.14.0-18.el8.1.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/servicemesh-prometheus@2.14.0-18.el8.1?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "servicemesh-0:2.0.11-1.el8.x86_64",
                "product": {
                  "name": "servicemesh-0:2.0.11-1.el8.x86_64",
                  "product_id": "servicemesh-0:2.0.11-1.el8.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/servicemesh@2.0.11-1.el8?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "servicemesh-istioctl-0:2.0.11-1.el8.x86_64",
                "product": {
                  "name": "servicemesh-istioctl-0:2.0.11-1.el8.x86_64",
                  "product_id": "servicemesh-istioctl-0:2.0.11-1.el8.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/servicemesh-istioctl@2.0.11-1.el8?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "servicemesh-mixc-0:2.0.11-1.el8.x86_64",
                "product": {
                  "name": "servicemesh-mixc-0:2.0.11-1.el8.x86_64",
                  "product_id": "servicemesh-mixc-0:2.0.11-1.el8.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/servicemesh-mixc@2.0.11-1.el8?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "servicemesh-mixs-0:2.0.11-1.el8.x86_64",
                "product": {
                  "name": "servicemesh-mixs-0:2.0.11-1.el8.x86_64",
                  "product_id": "servicemesh-mixs-0:2.0.11-1.el8.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/servicemesh-mixs@2.0.11-1.el8?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "servicemesh-pilot-agent-0:2.0.11-1.el8.x86_64",
                "product": {
                  "name": "servicemesh-pilot-agent-0:2.0.11-1.el8.x86_64",
                  "product_id": "servicemesh-pilot-agent-0:2.0.11-1.el8.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/servicemesh-pilot-agent@2.0.11-1.el8?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "servicemesh-pilot-discovery-0:2.0.11-1.el8.x86_64",
                "product": {
                  "name": "servicemesh-pilot-discovery-0:2.0.11-1.el8.x86_64",
                  "product_id": "servicemesh-pilot-discovery-0:2.0.11-1.el8.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/servicemesh-pilot-discovery@2.0.11-1.el8?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "servicemesh-operator-0:2.0.11-1.el8.x86_64",
                "product": {
                  "name": "servicemesh-operator-0:2.0.11-1.el8.x86_64",
                  "product_id": "servicemesh-operator-0:2.0.11-1.el8.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/servicemesh-operator@2.0.11-1.el8?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "servicemesh-proxy-0:2.0.11-1.el8.x86_64",
                "product": {
                  "name": "servicemesh-proxy-0:2.0.11-1.el8.x86_64",
                  "product_id": "servicemesh-proxy-0:2.0.11-1.el8.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/servicemesh-proxy@2.0.11-1.el8?arch=x86_64"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "servicemesh-cni-0:2.0.11-1.el8.ppc64le",
                "product": {
                  "name": "servicemesh-cni-0:2.0.11-1.el8.ppc64le",
                  "product_id": "servicemesh-cni-0:2.0.11-1.el8.ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/servicemesh-cni@2.0.11-1.el8?arch=ppc64le"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "servicemesh-prometheus-0:2.14.0-18.el8.1.ppc64le",
                "product": {
                  "name": "servicemesh-prometheus-0:2.14.0-18.el8.1.ppc64le",
                  "product_id": "servicemesh-prometheus-0:2.14.0-18.el8.1.ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/servicemesh-prometheus@2.14.0-18.el8.1?arch=ppc64le"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "servicemesh-0:2.0.11-1.el8.ppc64le",
                "product": {
                  "name": "servicemesh-0:2.0.11-1.el8.ppc64le",
                  "product_id": "servicemesh-0:2.0.11-1.el8.ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/servicemesh@2.0.11-1.el8?arch=ppc64le"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "servicemesh-istioctl-0:2.0.11-1.el8.ppc64le",
                "product": {
                  "name": "servicemesh-istioctl-0:2.0.11-1.el8.ppc64le",
                  "product_id": "servicemesh-istioctl-0:2.0.11-1.el8.ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/servicemesh-istioctl@2.0.11-1.el8?arch=ppc64le"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "servicemesh-mixc-0:2.0.11-1.el8.ppc64le",
                "product": {
                  "name": "servicemesh-mixc-0:2.0.11-1.el8.ppc64le",
                  "product_id": "servicemesh-mixc-0:2.0.11-1.el8.ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/servicemesh-mixc@2.0.11-1.el8?arch=ppc64le"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "servicemesh-mixs-0:2.0.11-1.el8.ppc64le",
                "product": {
                  "name": "servicemesh-mixs-0:2.0.11-1.el8.ppc64le",
                  "product_id": "servicemesh-mixs-0:2.0.11-1.el8.ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/servicemesh-mixs@2.0.11-1.el8?arch=ppc64le"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "servicemesh-pilot-agent-0:2.0.11-1.el8.ppc64le",
                "product": {
                  "name": "servicemesh-pilot-agent-0:2.0.11-1.el8.ppc64le",
                  "product_id": "servicemesh-pilot-agent-0:2.0.11-1.el8.ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/servicemesh-pilot-agent@2.0.11-1.el8?arch=ppc64le"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "servicemesh-pilot-discovery-0:2.0.11-1.el8.ppc64le",
                "product": {
                  "name": "servicemesh-pilot-discovery-0:2.0.11-1.el8.ppc64le",
                  "product_id": "servicemesh-pilot-discovery-0:2.0.11-1.el8.ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/servicemesh-pilot-discovery@2.0.11-1.el8?arch=ppc64le"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "servicemesh-operator-0:2.0.11-1.el8.ppc64le",
                "product": {
                  "name": "servicemesh-operator-0:2.0.11-1.el8.ppc64le",
                  "product_id": "servicemesh-operator-0:2.0.11-1.el8.ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/servicemesh-operator@2.0.11-1.el8?arch=ppc64le"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "servicemesh-proxy-0:2.0.11-1.el8.ppc64le",
                "product": {
                  "name": "servicemesh-proxy-0:2.0.11-1.el8.ppc64le",
                  "product_id": "servicemesh-proxy-0:2.0.11-1.el8.ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/servicemesh-proxy@2.0.11-1.el8?arch=ppc64le"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "servicemesh-cni-0:2.0.11-1.el8.s390x",
                "product": {
                  "name": "servicemesh-cni-0:2.0.11-1.el8.s390x",
                  "product_id": "servicemesh-cni-0:2.0.11-1.el8.s390x",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/servicemesh-cni@2.0.11-1.el8?arch=s390x"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "servicemesh-prometheus-0:2.14.0-18.el8.1.s390x",
                "product": {
                  "name": "servicemesh-prometheus-0:2.14.0-18.el8.1.s390x",
                  "product_id": "servicemesh-prometheus-0:2.14.0-18.el8.1.s390x",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/servicemesh-prometheus@2.14.0-18.el8.1?arch=s390x"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "servicemesh-0:2.0.11-1.el8.s390x",
                "product": {
                  "name": "servicemesh-0:2.0.11-1.el8.s390x",
                  "product_id": "servicemesh-0:2.0.11-1.el8.s390x",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/servicemesh@2.0.11-1.el8?arch=s390x"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "servicemesh-istioctl-0:2.0.11-1.el8.s390x",
                "product": {
                  "name": "servicemesh-istioctl-0:2.0.11-1.el8.s390x",
                  "product_id": "servicemesh-istioctl-0:2.0.11-1.el8.s390x",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/servicemesh-istioctl@2.0.11-1.el8?arch=s390x"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "servicemesh-mixc-0:2.0.11-1.el8.s390x",
                "product": {
                  "name": "servicemesh-mixc-0:2.0.11-1.el8.s390x",
                  "product_id": "servicemesh-mixc-0:2.0.11-1.el8.s390x",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/servicemesh-mixc@2.0.11-1.el8?arch=s390x"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "servicemesh-mixs-0:2.0.11-1.el8.s390x",
                "product": {
                  "name": "servicemesh-mixs-0:2.0.11-1.el8.s390x",
                  "product_id": "servicemesh-mixs-0:2.0.11-1.el8.s390x",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/servicemesh-mixs@2.0.11-1.el8?arch=s390x"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "servicemesh-pilot-agent-0:2.0.11-1.el8.s390x",
                "product": {
                  "name": "servicemesh-pilot-agent-0:2.0.11-1.el8.s390x",
                  "product_id": "servicemesh-pilot-agent-0:2.0.11-1.el8.s390x",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/servicemesh-pilot-agent@2.0.11-1.el8?arch=s390x"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "servicemesh-pilot-discovery-0:2.0.11-1.el8.s390x",
                "product": {
                  "name": "servicemesh-pilot-discovery-0:2.0.11-1.el8.s390x",
                  "product_id": "servicemesh-pilot-discovery-0:2.0.11-1.el8.s390x",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/servicemesh-pilot-discovery@2.0.11-1.el8?arch=s390x"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "servicemesh-operator-0:2.0.11-1.el8.s390x",
                "product": {
                  "name": "servicemesh-operator-0:2.0.11-1.el8.s390x",
                  "product_id": "servicemesh-operator-0:2.0.11-1.el8.s390x",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/servicemesh-operator@2.0.11-1.el8?arch=s390x"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "servicemesh-proxy-0:2.0.11-1.el8.s390x",
                "product": {
                  "name": "servicemesh-proxy-0:2.0.11-1.el8.s390x",
                  "product_id": "servicemesh-proxy-0:2.0.11-1.el8.s390x",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/servicemesh-proxy@2.0.11-1.el8?arch=s390x"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "servicemesh-0:2.0.11-1.el8.ppc64le as a component of OpenShift Service Mesh 2.0",
          "product_id": "8Base-OSSM-2.0:servicemesh-0:2.0.11-1.el8.ppc64le"
        },
        "product_reference": "servicemesh-0:2.0.11-1.el8.ppc64le",
        "relates_to_product_reference": "8Base-OSSM-2.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "servicemesh-0:2.0.11-1.el8.s390x as a component of OpenShift Service Mesh 2.0",
          "product_id": "8Base-OSSM-2.0:servicemesh-0:2.0.11-1.el8.s390x"
        },
        "product_reference": "servicemesh-0:2.0.11-1.el8.s390x",
        "relates_to_product_reference": "8Base-OSSM-2.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "servicemesh-0:2.0.11-1.el8.src as a component of OpenShift Service Mesh 2.0",
          "product_id": "8Base-OSSM-2.0:servicemesh-0:2.0.11-1.el8.src"
        },
        "product_reference": "servicemesh-0:2.0.11-1.el8.src",
        "relates_to_product_reference": "8Base-OSSM-2.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "servicemesh-0:2.0.11-1.el8.x86_64 as a component of OpenShift Service Mesh 2.0",
          "product_id": "8Base-OSSM-2.0:servicemesh-0:2.0.11-1.el8.x86_64"
        },
        "product_reference": "servicemesh-0:2.0.11-1.el8.x86_64",
        "relates_to_product_reference": "8Base-OSSM-2.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "servicemesh-cni-0:2.0.11-1.el8.ppc64le as a component of OpenShift Service Mesh 2.0",
          "product_id": "8Base-OSSM-2.0:servicemesh-cni-0:2.0.11-1.el8.ppc64le"
        },
        "product_reference": "servicemesh-cni-0:2.0.11-1.el8.ppc64le",
        "relates_to_product_reference": "8Base-OSSM-2.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "servicemesh-cni-0:2.0.11-1.el8.s390x as a component of OpenShift Service Mesh 2.0",
          "product_id": "8Base-OSSM-2.0:servicemesh-cni-0:2.0.11-1.el8.s390x"
        },
        "product_reference": "servicemesh-cni-0:2.0.11-1.el8.s390x",
        "relates_to_product_reference": "8Base-OSSM-2.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "servicemesh-cni-0:2.0.11-1.el8.src as a component of OpenShift Service Mesh 2.0",
          "product_id": "8Base-OSSM-2.0:servicemesh-cni-0:2.0.11-1.el8.src"
        },
        "product_reference": "servicemesh-cni-0:2.0.11-1.el8.src",
        "relates_to_product_reference": "8Base-OSSM-2.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "servicemesh-cni-0:2.0.11-1.el8.x86_64 as a component of OpenShift Service Mesh 2.0",
          "product_id": "8Base-OSSM-2.0:servicemesh-cni-0:2.0.11-1.el8.x86_64"
        },
        "product_reference": "servicemesh-cni-0:2.0.11-1.el8.x86_64",
        "relates_to_product_reference": "8Base-OSSM-2.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "servicemesh-istioctl-0:2.0.11-1.el8.ppc64le as a component of OpenShift Service Mesh 2.0",
          "product_id": "8Base-OSSM-2.0:servicemesh-istioctl-0:2.0.11-1.el8.ppc64le"
        },
        "product_reference": "servicemesh-istioctl-0:2.0.11-1.el8.ppc64le",
        "relates_to_product_reference": "8Base-OSSM-2.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "servicemesh-istioctl-0:2.0.11-1.el8.s390x as a component of OpenShift Service Mesh 2.0",
          "product_id": "8Base-OSSM-2.0:servicemesh-istioctl-0:2.0.11-1.el8.s390x"
        },
        "product_reference": "servicemesh-istioctl-0:2.0.11-1.el8.s390x",
        "relates_to_product_reference": "8Base-OSSM-2.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "servicemesh-istioctl-0:2.0.11-1.el8.x86_64 as a component of OpenShift Service Mesh 2.0",
          "product_id": "8Base-OSSM-2.0:servicemesh-istioctl-0:2.0.11-1.el8.x86_64"
        },
        "product_reference": "servicemesh-istioctl-0:2.0.11-1.el8.x86_64",
        "relates_to_product_reference": "8Base-OSSM-2.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "servicemesh-mixc-0:2.0.11-1.el8.ppc64le as a component of OpenShift Service Mesh 2.0",
          "product_id": "8Base-OSSM-2.0:servicemesh-mixc-0:2.0.11-1.el8.ppc64le"
        },
        "product_reference": "servicemesh-mixc-0:2.0.11-1.el8.ppc64le",
        "relates_to_product_reference": "8Base-OSSM-2.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "servicemesh-mixc-0:2.0.11-1.el8.s390x as a component of OpenShift Service Mesh 2.0",
          "product_id": "8Base-OSSM-2.0:servicemesh-mixc-0:2.0.11-1.el8.s390x"
        },
        "product_reference": "servicemesh-mixc-0:2.0.11-1.el8.s390x",
        "relates_to_product_reference": "8Base-OSSM-2.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "servicemesh-mixc-0:2.0.11-1.el8.x86_64 as a component of OpenShift Service Mesh 2.0",
          "product_id": "8Base-OSSM-2.0:servicemesh-mixc-0:2.0.11-1.el8.x86_64"
        },
        "product_reference": "servicemesh-mixc-0:2.0.11-1.el8.x86_64",
        "relates_to_product_reference": "8Base-OSSM-2.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "servicemesh-mixs-0:2.0.11-1.el8.ppc64le as a component of OpenShift Service Mesh 2.0",
          "product_id": "8Base-OSSM-2.0:servicemesh-mixs-0:2.0.11-1.el8.ppc64le"
        },
        "product_reference": "servicemesh-mixs-0:2.0.11-1.el8.ppc64le",
        "relates_to_product_reference": "8Base-OSSM-2.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "servicemesh-mixs-0:2.0.11-1.el8.s390x as a component of OpenShift Service Mesh 2.0",
          "product_id": "8Base-OSSM-2.0:servicemesh-mixs-0:2.0.11-1.el8.s390x"
        },
        "product_reference": "servicemesh-mixs-0:2.0.11-1.el8.s390x",
        "relates_to_product_reference": "8Base-OSSM-2.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "servicemesh-mixs-0:2.0.11-1.el8.x86_64 as a component of OpenShift Service Mesh 2.0",
          "product_id": "8Base-OSSM-2.0:servicemesh-mixs-0:2.0.11-1.el8.x86_64"
        },
        "product_reference": "servicemesh-mixs-0:2.0.11-1.el8.x86_64",
        "relates_to_product_reference": "8Base-OSSM-2.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "servicemesh-operator-0:2.0.11-1.el8.ppc64le as a component of OpenShift Service Mesh 2.0",
          "product_id": "8Base-OSSM-2.0:servicemesh-operator-0:2.0.11-1.el8.ppc64le"
        },
        "product_reference": "servicemesh-operator-0:2.0.11-1.el8.ppc64le",
        "relates_to_product_reference": "8Base-OSSM-2.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "servicemesh-operator-0:2.0.11-1.el8.s390x as a component of OpenShift Service Mesh 2.0",
          "product_id": "8Base-OSSM-2.0:servicemesh-operator-0:2.0.11-1.el8.s390x"
        },
        "product_reference": "servicemesh-operator-0:2.0.11-1.el8.s390x",
        "relates_to_product_reference": "8Base-OSSM-2.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "servicemesh-operator-0:2.0.11-1.el8.src as a component of OpenShift Service Mesh 2.0",
          "product_id": "8Base-OSSM-2.0:servicemesh-operator-0:2.0.11-1.el8.src"
        },
        "product_reference": "servicemesh-operator-0:2.0.11-1.el8.src",
        "relates_to_product_reference": "8Base-OSSM-2.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "servicemesh-operator-0:2.0.11-1.el8.x86_64 as a component of OpenShift Service Mesh 2.0",
          "product_id": "8Base-OSSM-2.0:servicemesh-operator-0:2.0.11-1.el8.x86_64"
        },
        "product_reference": "servicemesh-operator-0:2.0.11-1.el8.x86_64",
        "relates_to_product_reference": "8Base-OSSM-2.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "servicemesh-pilot-agent-0:2.0.11-1.el8.ppc64le as a component of OpenShift Service Mesh 2.0",
          "product_id": "8Base-OSSM-2.0:servicemesh-pilot-agent-0:2.0.11-1.el8.ppc64le"
        },
        "product_reference": "servicemesh-pilot-agent-0:2.0.11-1.el8.ppc64le",
        "relates_to_product_reference": "8Base-OSSM-2.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "servicemesh-pilot-agent-0:2.0.11-1.el8.s390x as a component of OpenShift Service Mesh 2.0",
          "product_id": "8Base-OSSM-2.0:servicemesh-pilot-agent-0:2.0.11-1.el8.s390x"
        },
        "product_reference": "servicemesh-pilot-agent-0:2.0.11-1.el8.s390x",
        "relates_to_product_reference": "8Base-OSSM-2.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "servicemesh-pilot-agent-0:2.0.11-1.el8.x86_64 as a component of OpenShift Service Mesh 2.0",
          "product_id": "8Base-OSSM-2.0:servicemesh-pilot-agent-0:2.0.11-1.el8.x86_64"
        },
        "product_reference": "servicemesh-pilot-agent-0:2.0.11-1.el8.x86_64",
        "relates_to_product_reference": "8Base-OSSM-2.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "servicemesh-pilot-discovery-0:2.0.11-1.el8.ppc64le as a component of OpenShift Service Mesh 2.0",
          "product_id": "8Base-OSSM-2.0:servicemesh-pilot-discovery-0:2.0.11-1.el8.ppc64le"
        },
        "product_reference": "servicemesh-pilot-discovery-0:2.0.11-1.el8.ppc64le",
        "relates_to_product_reference": "8Base-OSSM-2.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "servicemesh-pilot-discovery-0:2.0.11-1.el8.s390x as a component of OpenShift Service Mesh 2.0",
          "product_id": "8Base-OSSM-2.0:servicemesh-pilot-discovery-0:2.0.11-1.el8.s390x"
        },
        "product_reference": "servicemesh-pilot-discovery-0:2.0.11-1.el8.s390x",
        "relates_to_product_reference": "8Base-OSSM-2.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "servicemesh-pilot-discovery-0:2.0.11-1.el8.x86_64 as a component of OpenShift Service Mesh 2.0",
          "product_id": "8Base-OSSM-2.0:servicemesh-pilot-discovery-0:2.0.11-1.el8.x86_64"
        },
        "product_reference": "servicemesh-pilot-discovery-0:2.0.11-1.el8.x86_64",
        "relates_to_product_reference": "8Base-OSSM-2.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "servicemesh-prometheus-0:2.14.0-18.el8.1.ppc64le as a component of OpenShift Service Mesh 2.0",
          "product_id": "8Base-OSSM-2.0:servicemesh-prometheus-0:2.14.0-18.el8.1.ppc64le"
        },
        "product_reference": "servicemesh-prometheus-0:2.14.0-18.el8.1.ppc64le",
        "relates_to_product_reference": "8Base-OSSM-2.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "servicemesh-prometheus-0:2.14.0-18.el8.1.s390x as a component of OpenShift Service Mesh 2.0",
          "product_id": "8Base-OSSM-2.0:servicemesh-prometheus-0:2.14.0-18.el8.1.s390x"
        },
        "product_reference": "servicemesh-prometheus-0:2.14.0-18.el8.1.s390x",
        "relates_to_product_reference": "8Base-OSSM-2.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "servicemesh-prometheus-0:2.14.0-18.el8.1.src as a component of OpenShift Service Mesh 2.0",
          "product_id": "8Base-OSSM-2.0:servicemesh-prometheus-0:2.14.0-18.el8.1.src"
        },
        "product_reference": "servicemesh-prometheus-0:2.14.0-18.el8.1.src",
        "relates_to_product_reference": "8Base-OSSM-2.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "servicemesh-prometheus-0:2.14.0-18.el8.1.x86_64 as a component of OpenShift Service Mesh 2.0",
          "product_id": "8Base-OSSM-2.0:servicemesh-prometheus-0:2.14.0-18.el8.1.x86_64"
        },
        "product_reference": "servicemesh-prometheus-0:2.14.0-18.el8.1.x86_64",
        "relates_to_product_reference": "8Base-OSSM-2.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "servicemesh-proxy-0:2.0.11-1.el8.ppc64le as a component of OpenShift Service Mesh 2.0",
          "product_id": "8Base-OSSM-2.0:servicemesh-proxy-0:2.0.11-1.el8.ppc64le"
        },
        "product_reference": "servicemesh-proxy-0:2.0.11-1.el8.ppc64le",
        "relates_to_product_reference": "8Base-OSSM-2.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "servicemesh-proxy-0:2.0.11-1.el8.s390x as a component of OpenShift Service Mesh 2.0",
          "product_id": "8Base-OSSM-2.0:servicemesh-proxy-0:2.0.11-1.el8.s390x"
        },
        "product_reference": "servicemesh-proxy-0:2.0.11-1.el8.s390x",
        "relates_to_product_reference": "8Base-OSSM-2.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "servicemesh-proxy-0:2.0.11-1.el8.src as a component of OpenShift Service Mesh 2.0",
          "product_id": "8Base-OSSM-2.0:servicemesh-proxy-0:2.0.11-1.el8.src"
        },
        "product_reference": "servicemesh-proxy-0:2.0.11-1.el8.src",
        "relates_to_product_reference": "8Base-OSSM-2.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "servicemesh-proxy-0:2.0.11-1.el8.x86_64 as a component of OpenShift Service Mesh 2.0",
          "product_id": "8Base-OSSM-2.0:servicemesh-proxy-0:2.0.11-1.el8.x86_64"
        },
        "product_reference": "servicemesh-proxy-0:2.0.11-1.el8.x86_64",
        "relates_to_product_reference": "8Base-OSSM-2.0"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-24785",
      "cwe": {
        "id": "CWE-22",
        "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
      },
      "discovery_date": "2022-04-05T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-OSSM-2.0:servicemesh-0:2.0.11-1.el8.ppc64le",
            "8Base-OSSM-2.0:servicemesh-0:2.0.11-1.el8.s390x",
            "8Base-OSSM-2.0:servicemesh-0:2.0.11-1.el8.src",
            "8Base-OSSM-2.0:servicemesh-0:2.0.11-1.el8.x86_64",
            "8Base-OSSM-2.0:servicemesh-cni-0:2.0.11-1.el8.ppc64le",
            "8Base-OSSM-2.0:servicemesh-cni-0:2.0.11-1.el8.s390x",
            "8Base-OSSM-2.0:servicemesh-cni-0:2.0.11-1.el8.src",
            "8Base-OSSM-2.0:servicemesh-cni-0:2.0.11-1.el8.x86_64",
            "8Base-OSSM-2.0:servicemesh-istioctl-0:2.0.11-1.el8.ppc64le",
            "8Base-OSSM-2.0:servicemesh-istioctl-0:2.0.11-1.el8.s390x",
            "8Base-OSSM-2.0:servicemesh-istioctl-0:2.0.11-1.el8.x86_64",
            "8Base-OSSM-2.0:servicemesh-mixc-0:2.0.11-1.el8.ppc64le",
            "8Base-OSSM-2.0:servicemesh-mixc-0:2.0.11-1.el8.s390x",
            "8Base-OSSM-2.0:servicemesh-mixc-0:2.0.11-1.el8.x86_64",
            "8Base-OSSM-2.0:servicemesh-mixs-0:2.0.11-1.el8.ppc64le",
            "8Base-OSSM-2.0:servicemesh-mixs-0:2.0.11-1.el8.s390x",
            "8Base-OSSM-2.0:servicemesh-mixs-0:2.0.11-1.el8.x86_64",
            "8Base-OSSM-2.0:servicemesh-operator-0:2.0.11-1.el8.ppc64le",
            "8Base-OSSM-2.0:servicemesh-operator-0:2.0.11-1.el8.s390x",
            "8Base-OSSM-2.0:servicemesh-operator-0:2.0.11-1.el8.src",
            "8Base-OSSM-2.0:servicemesh-operator-0:2.0.11-1.el8.x86_64",
            "8Base-OSSM-2.0:servicemesh-pilot-agent-0:2.0.11-1.el8.ppc64le",
            "8Base-OSSM-2.0:servicemesh-pilot-agent-0:2.0.11-1.el8.s390x",
            "8Base-OSSM-2.0:servicemesh-pilot-agent-0:2.0.11-1.el8.x86_64",
            "8Base-OSSM-2.0:servicemesh-pilot-discovery-0:2.0.11-1.el8.ppc64le",
            "8Base-OSSM-2.0:servicemesh-pilot-discovery-0:2.0.11-1.el8.s390x",
            "8Base-OSSM-2.0:servicemesh-pilot-discovery-0:2.0.11-1.el8.x86_64",
            "8Base-OSSM-2.0:servicemesh-proxy-0:2.0.11-1.el8.ppc64le",
            "8Base-OSSM-2.0:servicemesh-proxy-0:2.0.11-1.el8.s390x",
            "8Base-OSSM-2.0:servicemesh-proxy-0:2.0.11-1.el8.src",
            "8Base-OSSM-2.0:servicemesh-proxy-0:2.0.11-1.el8.x86_64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2072009"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A path traversal vulnerability was found in Moment.js that impacts npm (server) users. This issue occurs if a user-provided locale string is directly used to switch moment locale, which an attacker can exploit to change the correct path to one of their choice. This can result in a loss of integrity.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Moment.js: Path traversal  in moment.locale",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-OSSM-2.0:servicemesh-prometheus-0:2.14.0-18.el8.1.ppc64le",
          "8Base-OSSM-2.0:servicemesh-prometheus-0:2.14.0-18.el8.1.s390x",
          "8Base-OSSM-2.0:servicemesh-prometheus-0:2.14.0-18.el8.1.src",
          "8Base-OSSM-2.0:servicemesh-prometheus-0:2.14.0-18.el8.1.x86_64"
        ],
        "known_not_affected": [
          "8Base-OSSM-2.0:servicemesh-0:2.0.11-1.el8.ppc64le",
          "8Base-OSSM-2.0:servicemesh-0:2.0.11-1.el8.s390x",
          "8Base-OSSM-2.0:servicemesh-0:2.0.11-1.el8.src",
          "8Base-OSSM-2.0:servicemesh-0:2.0.11-1.el8.x86_64",
          "8Base-OSSM-2.0:servicemesh-cni-0:2.0.11-1.el8.ppc64le",
          "8Base-OSSM-2.0:servicemesh-cni-0:2.0.11-1.el8.s390x",
          "8Base-OSSM-2.0:servicemesh-cni-0:2.0.11-1.el8.src",
          "8Base-OSSM-2.0:servicemesh-cni-0:2.0.11-1.el8.x86_64",
          "8Base-OSSM-2.0:servicemesh-istioctl-0:2.0.11-1.el8.ppc64le",
          "8Base-OSSM-2.0:servicemesh-istioctl-0:2.0.11-1.el8.s390x",
          "8Base-OSSM-2.0:servicemesh-istioctl-0:2.0.11-1.el8.x86_64",
          "8Base-OSSM-2.0:servicemesh-mixc-0:2.0.11-1.el8.ppc64le",
          "8Base-OSSM-2.0:servicemesh-mixc-0:2.0.11-1.el8.s390x",
          "8Base-OSSM-2.0:servicemesh-mixc-0:2.0.11-1.el8.x86_64",
          "8Base-OSSM-2.0:servicemesh-mixs-0:2.0.11-1.el8.ppc64le",
          "8Base-OSSM-2.0:servicemesh-mixs-0:2.0.11-1.el8.s390x",
          "8Base-OSSM-2.0:servicemesh-mixs-0:2.0.11-1.el8.x86_64",
          "8Base-OSSM-2.0:servicemesh-operator-0:2.0.11-1.el8.ppc64le",
          "8Base-OSSM-2.0:servicemesh-operator-0:2.0.11-1.el8.s390x",
          "8Base-OSSM-2.0:servicemesh-operator-0:2.0.11-1.el8.src",
          "8Base-OSSM-2.0:servicemesh-operator-0:2.0.11-1.el8.x86_64",
          "8Base-OSSM-2.0:servicemesh-pilot-agent-0:2.0.11-1.el8.ppc64le",
          "8Base-OSSM-2.0:servicemesh-pilot-agent-0:2.0.11-1.el8.s390x",
          "8Base-OSSM-2.0:servicemesh-pilot-agent-0:2.0.11-1.el8.x86_64",
          "8Base-OSSM-2.0:servicemesh-pilot-discovery-0:2.0.11-1.el8.ppc64le",
          "8Base-OSSM-2.0:servicemesh-pilot-discovery-0:2.0.11-1.el8.s390x",
          "8Base-OSSM-2.0:servicemesh-pilot-discovery-0:2.0.11-1.el8.x86_64",
          "8Base-OSSM-2.0:servicemesh-proxy-0:2.0.11-1.el8.ppc64le",
          "8Base-OSSM-2.0:servicemesh-proxy-0:2.0.11-1.el8.s390x",
          "8Base-OSSM-2.0:servicemesh-proxy-0:2.0.11-1.el8.src",
          "8Base-OSSM-2.0:servicemesh-proxy-0:2.0.11-1.el8.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-24785"
        },
        {
          "category": "external",
          "summary": "RHBZ#2072009",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072009"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-24785",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-24785"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785"
        },
        {
          "category": "external",
          "summary": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4",
          "url": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4"
        }
      ],
      "release_date": "2022-04-04T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "The OpenShift Service Mesh release notes provide information on the features and known issues:\n\nhttps://docs.openshift.com/container-platform/latest/service_mesh/v2x/servicemesh-release-notes.html",
          "product_ids": [
            "8Base-OSSM-2.0:servicemesh-prometheus-0:2.14.0-18.el8.1.ppc64le",
            "8Base-OSSM-2.0:servicemesh-prometheus-0:2.14.0-18.el8.1.s390x",
            "8Base-OSSM-2.0:servicemesh-prometheus-0:2.14.0-18.el8.1.src",
            "8Base-OSSM-2.0:servicemesh-prometheus-0:2.14.0-18.el8.1.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:6272"
        },
        {
          "category": "workaround",
          "details": "Sanitize the user-provided locale name before passing it to Moment.js.",
          "product_ids": [
            "8Base-OSSM-2.0:servicemesh-0:2.0.11-1.el8.ppc64le",
            "8Base-OSSM-2.0:servicemesh-0:2.0.11-1.el8.s390x",
            "8Base-OSSM-2.0:servicemesh-0:2.0.11-1.el8.src",
            "8Base-OSSM-2.0:servicemesh-0:2.0.11-1.el8.x86_64",
            "8Base-OSSM-2.0:servicemesh-cni-0:2.0.11-1.el8.ppc64le",
            "8Base-OSSM-2.0:servicemesh-cni-0:2.0.11-1.el8.s390x",
            "8Base-OSSM-2.0:servicemesh-cni-0:2.0.11-1.el8.src",
            "8Base-OSSM-2.0:servicemesh-cni-0:2.0.11-1.el8.x86_64",
            "8Base-OSSM-2.0:servicemesh-istioctl-0:2.0.11-1.el8.ppc64le",
            "8Base-OSSM-2.0:servicemesh-istioctl-0:2.0.11-1.el8.s390x",
            "8Base-OSSM-2.0:servicemesh-istioctl-0:2.0.11-1.el8.x86_64",
            "8Base-OSSM-2.0:servicemesh-mixc-0:2.0.11-1.el8.ppc64le",
            "8Base-OSSM-2.0:servicemesh-mixc-0:2.0.11-1.el8.s390x",
            "8Base-OSSM-2.0:servicemesh-mixc-0:2.0.11-1.el8.x86_64",
            "8Base-OSSM-2.0:servicemesh-mixs-0:2.0.11-1.el8.ppc64le",
            "8Base-OSSM-2.0:servicemesh-mixs-0:2.0.11-1.el8.s390x",
            "8Base-OSSM-2.0:servicemesh-mixs-0:2.0.11-1.el8.x86_64",
            "8Base-OSSM-2.0:servicemesh-operator-0:2.0.11-1.el8.ppc64le",
            "8Base-OSSM-2.0:servicemesh-operator-0:2.0.11-1.el8.s390x",
            "8Base-OSSM-2.0:servicemesh-operator-0:2.0.11-1.el8.src",
            "8Base-OSSM-2.0:servicemesh-operator-0:2.0.11-1.el8.x86_64",
            "8Base-OSSM-2.0:servicemesh-pilot-agent-0:2.0.11-1.el8.ppc64le",
            "8Base-OSSM-2.0:servicemesh-pilot-agent-0:2.0.11-1.el8.s390x",
            "8Base-OSSM-2.0:servicemesh-pilot-agent-0:2.0.11-1.el8.x86_64",
            "8Base-OSSM-2.0:servicemesh-pilot-discovery-0:2.0.11-1.el8.ppc64le",
            "8Base-OSSM-2.0:servicemesh-pilot-discovery-0:2.0.11-1.el8.s390x",
            "8Base-OSSM-2.0:servicemesh-pilot-discovery-0:2.0.11-1.el8.x86_64",
            "8Base-OSSM-2.0:servicemesh-prometheus-0:2.14.0-18.el8.1.ppc64le",
            "8Base-OSSM-2.0:servicemesh-prometheus-0:2.14.0-18.el8.1.s390x",
            "8Base-OSSM-2.0:servicemesh-prometheus-0:2.14.0-18.el8.1.src",
            "8Base-OSSM-2.0:servicemesh-prometheus-0:2.14.0-18.el8.1.x86_64",
            "8Base-OSSM-2.0:servicemesh-proxy-0:2.0.11-1.el8.ppc64le",
            "8Base-OSSM-2.0:servicemesh-proxy-0:2.0.11-1.el8.s390x",
            "8Base-OSSM-2.0:servicemesh-proxy-0:2.0.11-1.el8.src",
            "8Base-OSSM-2.0:servicemesh-proxy-0:2.0.11-1.el8.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "8Base-OSSM-2.0:servicemesh-prometheus-0:2.14.0-18.el8.1.ppc64le",
            "8Base-OSSM-2.0:servicemesh-prometheus-0:2.14.0-18.el8.1.s390x",
            "8Base-OSSM-2.0:servicemesh-prometheus-0:2.14.0-18.el8.1.src",
            "8Base-OSSM-2.0:servicemesh-prometheus-0:2.14.0-18.el8.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "Moment.js: Path traversal  in moment.locale"
    },
    {
      "cve": "CVE-2022-31129",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2022-07-07T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-OSSM-2.0:servicemesh-0:2.0.11-1.el8.ppc64le",
            "8Base-OSSM-2.0:servicemesh-0:2.0.11-1.el8.s390x",
            "8Base-OSSM-2.0:servicemesh-0:2.0.11-1.el8.src",
            "8Base-OSSM-2.0:servicemesh-0:2.0.11-1.el8.x86_64",
            "8Base-OSSM-2.0:servicemesh-cni-0:2.0.11-1.el8.ppc64le",
            "8Base-OSSM-2.0:servicemesh-cni-0:2.0.11-1.el8.s390x",
            "8Base-OSSM-2.0:servicemesh-cni-0:2.0.11-1.el8.src",
            "8Base-OSSM-2.0:servicemesh-cni-0:2.0.11-1.el8.x86_64",
            "8Base-OSSM-2.0:servicemesh-istioctl-0:2.0.11-1.el8.ppc64le",
            "8Base-OSSM-2.0:servicemesh-istioctl-0:2.0.11-1.el8.s390x",
            "8Base-OSSM-2.0:servicemesh-istioctl-0:2.0.11-1.el8.x86_64",
            "8Base-OSSM-2.0:servicemesh-mixc-0:2.0.11-1.el8.ppc64le",
            "8Base-OSSM-2.0:servicemesh-mixc-0:2.0.11-1.el8.s390x",
            "8Base-OSSM-2.0:servicemesh-mixc-0:2.0.11-1.el8.x86_64",
            "8Base-OSSM-2.0:servicemesh-mixs-0:2.0.11-1.el8.ppc64le",
            "8Base-OSSM-2.0:servicemesh-mixs-0:2.0.11-1.el8.s390x",
            "8Base-OSSM-2.0:servicemesh-mixs-0:2.0.11-1.el8.x86_64",
            "8Base-OSSM-2.0:servicemesh-operator-0:2.0.11-1.el8.ppc64le",
            "8Base-OSSM-2.0:servicemesh-operator-0:2.0.11-1.el8.s390x",
            "8Base-OSSM-2.0:servicemesh-operator-0:2.0.11-1.el8.src",
            "8Base-OSSM-2.0:servicemesh-operator-0:2.0.11-1.el8.x86_64",
            "8Base-OSSM-2.0:servicemesh-pilot-agent-0:2.0.11-1.el8.ppc64le",
            "8Base-OSSM-2.0:servicemesh-pilot-agent-0:2.0.11-1.el8.s390x",
            "8Base-OSSM-2.0:servicemesh-pilot-agent-0:2.0.11-1.el8.x86_64",
            "8Base-OSSM-2.0:servicemesh-pilot-discovery-0:2.0.11-1.el8.ppc64le",
            "8Base-OSSM-2.0:servicemesh-pilot-discovery-0:2.0.11-1.el8.s390x",
            "8Base-OSSM-2.0:servicemesh-pilot-discovery-0:2.0.11-1.el8.x86_64",
            "8Base-OSSM-2.0:servicemesh-proxy-0:2.0.11-1.el8.ppc64le",
            "8Base-OSSM-2.0:servicemesh-proxy-0:2.0.11-1.el8.s390x",
            "8Base-OSSM-2.0:servicemesh-proxy-0:2.0.11-1.el8.src",
            "8Base-OSSM-2.0:servicemesh-proxy-0:2.0.11-1.el8.x86_64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2105075"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the Moment.js package. Users who pass user-provided strings without sanity length checks to the moment constructor are vulnerable to regular expression denial of service (ReDoS) attacks.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "moment: inefficient parsing algorithm resulting in DoS",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat Fuse provides the affected software but does not use the functionality and as such its impact has been downgraded to Low.\n\nRed Hat Advanced Cluster Management for Kubernetes (RHACM) ships a vulnerable version of the moment library. However, this affected functionality is restricted behind OAuth, reducing the impact to Moderate.\n\nRed Hat Satellite ships a vulnerable version of the moment library. However, this only affects a specific component (qpid-dispatch), reducing the impact to Moderate.\n\nRed Hat Ceph Storage (RHCS) ships a vulnerable version of the moment library, however, it is not directly used and is a transitive dependency from Angular. In addition, the impact would only be to the grafana browser, and not the underlying RHCS system, which reduces the impact to Moderate. \n\nRed Hat OpenShift Service Mesh (OSSM) ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nRed Hat OpenShift distributed tracing ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nIn Logging Subsystem for Red Hat OpenShift the vulnerable moment nodejs package is bundled in the ose-logging-kibana6 container as a transitive dependency, hence the direct impact is reduced to Moderate.\n\nIn OpenShift Container Platform 4 the vulnerabile moment package is a third party dependency, hence the direct impact is reduced to Moderate.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-OSSM-2.0:servicemesh-prometheus-0:2.14.0-18.el8.1.ppc64le",
          "8Base-OSSM-2.0:servicemesh-prometheus-0:2.14.0-18.el8.1.s390x",
          "8Base-OSSM-2.0:servicemesh-prometheus-0:2.14.0-18.el8.1.src",
          "8Base-OSSM-2.0:servicemesh-prometheus-0:2.14.0-18.el8.1.x86_64"
        ],
        "known_not_affected": [
          "8Base-OSSM-2.0:servicemesh-0:2.0.11-1.el8.ppc64le",
          "8Base-OSSM-2.0:servicemesh-0:2.0.11-1.el8.s390x",
          "8Base-OSSM-2.0:servicemesh-0:2.0.11-1.el8.src",
          "8Base-OSSM-2.0:servicemesh-0:2.0.11-1.el8.x86_64",
          "8Base-OSSM-2.0:servicemesh-cni-0:2.0.11-1.el8.ppc64le",
          "8Base-OSSM-2.0:servicemesh-cni-0:2.0.11-1.el8.s390x",
          "8Base-OSSM-2.0:servicemesh-cni-0:2.0.11-1.el8.src",
          "8Base-OSSM-2.0:servicemesh-cni-0:2.0.11-1.el8.x86_64",
          "8Base-OSSM-2.0:servicemesh-istioctl-0:2.0.11-1.el8.ppc64le",
          "8Base-OSSM-2.0:servicemesh-istioctl-0:2.0.11-1.el8.s390x",
          "8Base-OSSM-2.0:servicemesh-istioctl-0:2.0.11-1.el8.x86_64",
          "8Base-OSSM-2.0:servicemesh-mixc-0:2.0.11-1.el8.ppc64le",
          "8Base-OSSM-2.0:servicemesh-mixc-0:2.0.11-1.el8.s390x",
          "8Base-OSSM-2.0:servicemesh-mixc-0:2.0.11-1.el8.x86_64",
          "8Base-OSSM-2.0:servicemesh-mixs-0:2.0.11-1.el8.ppc64le",
          "8Base-OSSM-2.0:servicemesh-mixs-0:2.0.11-1.el8.s390x",
          "8Base-OSSM-2.0:servicemesh-mixs-0:2.0.11-1.el8.x86_64",
          "8Base-OSSM-2.0:servicemesh-operator-0:2.0.11-1.el8.ppc64le",
          "8Base-OSSM-2.0:servicemesh-operator-0:2.0.11-1.el8.s390x",
          "8Base-OSSM-2.0:servicemesh-operator-0:2.0.11-1.el8.src",
          "8Base-OSSM-2.0:servicemesh-operator-0:2.0.11-1.el8.x86_64",
          "8Base-OSSM-2.0:servicemesh-pilot-agent-0:2.0.11-1.el8.ppc64le",
          "8Base-OSSM-2.0:servicemesh-pilot-agent-0:2.0.11-1.el8.s390x",
          "8Base-OSSM-2.0:servicemesh-pilot-agent-0:2.0.11-1.el8.x86_64",
          "8Base-OSSM-2.0:servicemesh-pilot-discovery-0:2.0.11-1.el8.ppc64le",
          "8Base-OSSM-2.0:servicemesh-pilot-discovery-0:2.0.11-1.el8.s390x",
          "8Base-OSSM-2.0:servicemesh-pilot-discovery-0:2.0.11-1.el8.x86_64",
          "8Base-OSSM-2.0:servicemesh-proxy-0:2.0.11-1.el8.ppc64le",
          "8Base-OSSM-2.0:servicemesh-proxy-0:2.0.11-1.el8.s390x",
          "8Base-OSSM-2.0:servicemesh-proxy-0:2.0.11-1.el8.src",
          "8Base-OSSM-2.0:servicemesh-proxy-0:2.0.11-1.el8.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-31129"
        },
        {
          "category": "external",
          "summary": "RHBZ#2105075",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105075"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-31129",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-31129"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129"
        },
        {
          "category": "external",
          "summary": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g",
          "url": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g"
        }
      ],
      "release_date": "2022-07-06T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "The OpenShift Service Mesh release notes provide information on the features and known issues:\n\nhttps://docs.openshift.com/container-platform/latest/service_mesh/v2x/servicemesh-release-notes.html",
          "product_ids": [
            "8Base-OSSM-2.0:servicemesh-prometheus-0:2.14.0-18.el8.1.ppc64le",
            "8Base-OSSM-2.0:servicemesh-prometheus-0:2.14.0-18.el8.1.s390x",
            "8Base-OSSM-2.0:servicemesh-prometheus-0:2.14.0-18.el8.1.src",
            "8Base-OSSM-2.0:servicemesh-prometheus-0:2.14.0-18.el8.1.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:6272"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-OSSM-2.0:servicemesh-prometheus-0:2.14.0-18.el8.1.ppc64le",
            "8Base-OSSM-2.0:servicemesh-prometheus-0:2.14.0-18.el8.1.s390x",
            "8Base-OSSM-2.0:servicemesh-prometheus-0:2.14.0-18.el8.1.src",
            "8Base-OSSM-2.0:servicemesh-prometheus-0:2.14.0-18.el8.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "moment: inefficient parsing algorithm resulting in DoS"
    }
  ]
}

cve-2022-31129

Vulnerability from cvelistv5

Published

2022-07-06 00:00

Modified

2024-08-03 07:11

Severity

7.5 (High) - cvssV3_1 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

Inefficient Regular Expression Complexity in moment

References

URL	Tags
https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g
https://github.com/moment/moment/pull/6015#issuecomment-1152961973
https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3
https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/	vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/	vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/	vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/	vendor-advisory
https://security.netapp.com/advisory/ntap-20221014-0003/
https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html	mailing-list

Impacted products

Vendor	Product
moment	moment

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T07:11:39.222Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/moment/moment/pull/6015#issuecomment-1152961973"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/"
          },
          {
            "name": "FEDORA-2022-85aa8e5706",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/"
          },
          {
            "name": "FEDORA-2022-35b698150c",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/"
          },
          {
            "name": "FEDORA-2022-b9ef7c3c3c",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/"
          },
          {
            "name": "FEDORA-2022-798fd95813",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20221014-0003/"
          },
          {
            "name": "[debian-lts-announce] 20230130 [SECURITY] [DLA 3295-1] node-moment security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "moment",
          "vendor": "moment",
          "versions": [
            {
              "status": "affected",
              "version": " \u003e= 2.18.0, \u003c 2.29.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-01-31T00:00:00",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "url": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g"
        },
        {
          "url": "https://github.com/moment/moment/pull/6015#issuecomment-1152961973"
        },
        {
          "url": "https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3"
        },
        {
          "url": "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/"
        },
        {
          "name": "FEDORA-2022-85aa8e5706",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/"
        },
        {
          "name": "FEDORA-2022-35b698150c",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/"
        },
        {
          "name": "FEDORA-2022-b9ef7c3c3c",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/"
        },
        {
          "name": "FEDORA-2022-798fd95813",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20221014-0003/"
        },
        {
          "name": "[debian-lts-announce] 20230130 [SECURITY] [DLA 3295-1] node-moment security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html"
        }
      ],
      "source": {
        "advisory": "GHSA-wc69-rhjr-hc9g",
        "discovery": "UNKNOWN"
      },
      "title": "Inefficient Regular Expression Complexity in moment"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-31129",
    "datePublished": "2022-07-06T00:00:00",
    "dateReserved": "2022-05-18T00:00:00",
    "dateUpdated": "2024-08-03T07:11:39.222Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2022-24785

Vulnerability from cvelistv5

Published

2022-04-04 00:00

Modified

2024-08-03 04:20

Severity

7.5 (High) - cvssV3_1 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Summary

Path Traversal in Moment.js

References

URL	Tags
https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4
https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5
https://www.tenable.com/security/tns-2022-09
https://security.netapp.com/advisory/ntap-20220513-0006/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/	vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/	vendor-advisory
https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html	mailing-list

Impacted products

Vendor	Product
moment	moment

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T04:20:50.533Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.tenable.com/security/tns-2022-09"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220513-0006/"
          },
          {
            "name": "FEDORA-2022-85aa8e5706",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/"
          },
          {
            "name": "FEDORA-2022-35b698150c",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/"
          },
          {
            "name": "[debian-lts-announce] 20230130 [SECURITY] [DLA 3295-1] node-moment security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "moment",
          "vendor": "moment",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.0.1, \u003c 2.29.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-27",
              "description": "CWE-27: Path Traversal: \u0027dir/../../filename\u0027",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-01-31T00:00:00",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "url": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4"
        },
        {
          "url": "https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5"
        },
        {
          "url": "https://www.tenable.com/security/tns-2022-09"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20220513-0006/"
        },
        {
          "name": "FEDORA-2022-85aa8e5706",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/"
        },
        {
          "name": "FEDORA-2022-35b698150c",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/"
        },
        {
          "name": "[debian-lts-announce] 20230130 [SECURITY] [DLA 3295-1] node-moment security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html"
        }
      ],
      "source": {
        "advisory": "GHSA-8hfj-j24r-96c4",
        "discovery": "UNKNOWN"
      },
      "title": "Path Traversal in Moment.js"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-24785",
    "datePublished": "2022-04-04T00:00:00",
    "dateReserved": "2022-02-10T00:00:00",
    "dateUpdated": "2024-08-03T04:20:50.533Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Action not permitted

rhsa-2022_6272

Vulnerability from csaf_redhat

cve-2022-31129

Vulnerability from cvelistv5

cve-2022-24785

Vulnerability from cvelistv5

Tags