Skip to content

Cleartext Transmission of Sensitive Information in moment-timezone

Moderate severity GitHub Reviewed Published Aug 23, 2022 in moment/moment-timezone • Updated Jan 12, 2023

Package

npm moment-timezone (npm)

Affected versions

>= 0.1.0, < 0.5.35

Patched versions

0.5.35

Description

Impact

  • if Alice uses grunt data (or grunt release) to prepare a custom-build, moment-timezone with the latest tzdata from IANA's website
  • and Mallory intercepts the request to IANA's unencrypted ftp server, Mallory can serve data which might exploit further stages of the moment-timezone tzdata pipeline, or potentially produce a tainted version of moment-timezone (practicality of such attacks is not proved)

Patches

Problem has been patched in version 0.5.35, patch should be applicable with minor modifications to all affected versions. The patch includes changing the FTP endpoint with an HTTPS endpoint.

Workarounds

Specify the exact version of tzdata (like 2014d, full command being grunt data:2014d, then run the rest of the release tasks by hand), or just apply the patch before issuing the grunt command.

References

@ichernev ichernev published to moment/moment-timezone Aug 23, 2022
Published to the GitHub Advisory Database Aug 30, 2022
Reviewed Aug 30, 2022
Last updated Jan 12, 2023

Severity

Moderate

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-v78c-4p63-2j6c

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.