Uploaded image for project: 'ZK'
  1. ZK
  2. ZK-5238

upgrade moment.js to eliminate the security vulnerabilities

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major
    • 10.0.0, 9.6.4
    • 9.6.2
    • None
    • Security Level: Jimmy
    • None

      Steps to reproduce

      Check

      Current result

      There are 2 vulnerabilities reported for moment.js 2.24.0 that ZK 9.6.2 includes

      Expected result

      upgrade to 2.29.4 to eliminate those vulnerabilities

      Related Vulnerabilities

      https://nvd.nist.gov/vuln/detail/CVE-2022-24785

      Main Problem:

      if a user-provided locale string is directly used to switch moment locale.

      Explanation:

      ZK depends on moment.js to handle timezone instead of switching locales. When using ZK components, end users cannot enter locale string into moment.js to switch locales. Hence, this vulnerability doesn't affect ZK.

      https://nvd.nist.gov/vuln/detail/CVE-2022-31129

      Main Problem:

      Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks

      Explanation:

      When using ZK, end users cannot input anything into moment.js constructor directly. Only zk JavaScript widget calls moment.js constructor internally.
      Hence, this vulnerability doesn't affect ZK.

            gordonhsu gordonhsu
            hawk hawk
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: