New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Severe ReDoS vulnerabilty: moment.js #3387
Comments
Thanks, for reporting, it looks like 3.4.x and master are both using moment 2.18.1 cf. https://github.com/geonetwork/core-geonetwork/blob/3.4.x/web-ui/src/main/resources/catalog/lib/moment+langs.min.js#L82. Which version are you using ? |
Hum 3.2.2. Sorry. |
You can safely cherry-pick the commit if you need it applied to 3.2.2 313c7e2#diff-56c156a44c44136483e50386ea7842aa |
Thank you very much. |
I closed this issue too quickly. Sorry, I should have noticed this at the same time. |
Update done for 3.6.0. |
Thank you |
We have been informed of a severe regular expression Denial of Service (ReDoS) vulnerabilty caused by the use of an outdated version of moment.js by GeoNetwork:
The text was updated successfully, but these errors were encountered: