First published: Tue Jan 26 2016(Updated: )
moment is vulnerable to regular expression denial of service when user input is passed unchecked into moment.duration() blocking the event loop for a period of time. Upstream patch: <a href="https://github.com/moment/moment/pull/2939">https://github.com/moment/moment/pull/2939</a> External References: <a href="https://nodesecurity.io/advisories/55">https://nodesecurity.io/advisories/55</a>
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/moment | <2.11.2 | 2.11.2 |
Momentjs Moment | <2.11.2 | |
Tenable Nessus | <=8.2.3 | |
Oracle Primavera Unifier | >=16.0<=18.8.4 | |
IBM GDE | <=4.0.0.4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2016-4055 is a vulnerability in the Node.js moment module that allows remote attackers to cause a denial of service.
The severity of CVE-2016-4055 is high with a severity value of 6.5.
CVE-2016-4055 affects the Node.js moment module versions before 2.11.2, Tenable Nessus version up to 8.2.3, and Oracle Primavera Unifier versions between 16.0 and 18.8.4.
CVE-2016-4055 can be exploited by using a regular expression to cause the affected application to hang.
More information about CVE-2016-4055 can be found at the following references: [CVE website](https://www.cve.org/CVERecord?id=CVE-2016-4055), [NIST NVD](https://nvd.nist.gov/vuln/detail/CVE-2016-4055), [Node Security Advisories](https://nodesecurity.io/advisories/55), [Red Hat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=1304645), [Red Hat Security](https://access.redhat.com/security/cve/CVE-2016-4055)