Severe ReDoS vulnerabilty: moment.js

[bchartier]

We have been informed of a severe regular expression Denial of Service (ReDoS) vulnerabilty caused by the use of an outdated version of moment.js by GeoNetwork:

• Description: This vulnerability was identified because the detected version of Moment.js, 2.2.1, is less than 2.11.2
• Path: /geonetwork/static/lib.js
• Fix: Upgrade to version 2.22.2 or later of Moment.js.
• References:
  • http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
  • https://nodesecurity.io/advisories/55

[fxprunayre]

Thanks, for reporting, it looks like 3.4.x and master are both using moment 2.18.1 cf. https://github.com/geonetwork/core-geonetwork/blob/3.4.x/web-ui/src/main/resources/catalog/lib/moment+langs.min.js#L82. Which version are you using ?

[bchartier]

Hum 3.2.2. Sorry.
So, this vulnerability has been fixed as I can see in your answer.
Sorry again for this outdated alert.

[fxprunayre]

You can safely cherry-pick the commit if you need it applied to 3.2.2 313c7e2#diff-56c156a44c44136483e50386ea7842aa

[bchartier]

Thank you very much.

[bchartier]

I closed this issue too quickly.
An other vulnerabilty (less severe) exists with versions of Moment less than 2.19.3:
see moment/moment#4163 and https://nodesecurity.io/advisories/532

Sorry, I should have noticed this at the same time.

[fxprunayre]

Update done for 3.6.0.

[bchartier]

Thank you