CVE-2023-22467 - OpenCVE

Luxon is a library for working with dates and times in JavaScript. On the 1.x branch prior to 1.38.1, the 2.x branch prior to 2.5.2, and the 3.x branch on 3.2.1, Luxon's `DateTime.fromRFC2822() has quadratic (N^2) complexity on some specific inputs. This causes a noticeable slowdown for inputs with lengths above 10k characters. Users providing untrusted data to this method are therefore vulnerable to (Re)DoS attacks. This issue also appears in Moment as CVE-2022-31129. Versions 1.38.1, 2.5.2, and 3.2.1 contain patches for this issue. As a workaround, limit the length of the input.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Momentjs	Luxon

Configuration 1 [-]

OR	cpe:2.3:a:momentjs:luxon::::::node.js::*
	cpe:2.3:a:momentjs:luxon::::::node.js::*
	cpe:2.3:a:momentjs:luxon::::::node.js::*

References

Link	Resource
https://github.com/moment/luxon/commit/5ab3bf64a10da929a437629cdb2f059bb83212bf	Patch Third Party Advisory
https://github.com/moment/luxon/security/advisories/GHSA-3xq5-wjfh-ppjc	Third Party Advisory
https://github.com/moment/moment/pull/6015#issuecomment-1152961973	Patch Third Party Advisory
https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g	Not Applicable Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/44I3WAJKYXDLOVYRGMHAUXMIV4SPFXDZ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4LIVOASKBQH7FEUI5RWM3SOHR6VK7ZZR/

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-01-04T21:52:14.329Z

Updated: 2024-02-12T04:05:59

Reserved: 2022-12-29T03:00:40.880Z

Link: CVE-2023-22467

JSON object: View

NVD Information

Status : Modified

Published: 2023-01-04T22:15:09.357

Modified: 2024-02-12T04:15:07.610

Link: CVE-2023-22467

JSON object: View

Redhat Information

No data.

CWE

CWE-1333

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-22467", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2022-12-29T03:00:40.880Z", "datePublished": "2023-01-04T21:52:14.329Z", "dateUpdated": "2024-02-12T04:05:59"}, "containers": {"cna": {"title": "luxon.js inefficient regular expression complexity vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-1333", "lang": "en", "description": "CWE-1333: Inefficient Regular Expression Complexity", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/moment/luxon/security/advisories/GHSA-3xq5-wjfh-ppjc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/moment/luxon/security/advisories/GHSA-3xq5-wjfh-ppjc"}, {"name": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g", "tags": ["x_refsource_MISC"], "url": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g"}, {"name": "https://github.com/moment/moment/pull/6015#issuecomment-1152961973", "tags": ["x_refsource_MISC"], "url": "https://github.com/moment/moment/pull/6015#issuecomment-1152961973"}, {"name": "https://github.com/moment/luxon/commit/5ab3bf64a10da929a437629cdb2f059bb83212bf", "tags": ["x_refsource_MISC"], "url": "https://github.com/moment/luxon/commit/5ab3bf64a10da929a437629cdb2f059bb83212bf"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4LIVOASKBQH7FEUI5RWM3SOHR6VK7ZZR/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/44I3WAJKYXDLOVYRGMHAUXMIV4SPFXDZ/"}], "affected": [{"vendor": "moment", "product": "luxon", "versions": [{"version": ">= 1.0.0, < 1.38.1", "status": "affected"}, {"version": ">= 2.0.0, < 2.5.2", "status": "affected"}, {"version": ">= 3.0.0, < 3.2.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-01-04T21:52:14.329Z"}, "descriptions": [{"lang": "en", "value": "Luxon is a library for working with dates and times in JavaScript. On the 1.x branch prior to 1.38.1, the 2.x branch prior to 2.5.2, and the 3.x branch on 3.2.1, Luxon's `DateTime.fromRFC2822() has quadratic (N^2) complexity on some specific inputs. This causes a noticeable slowdown for inputs with lengths above 10k characters. Users providing untrusted data to this method are therefore vulnerable to (Re)DoS attacks. This issue also appears in Moment as CVE-2022-31129. Versions 1.38.1, 2.5.2, and 3.2.1 contain patches for this issue. As a workaround, limit the length of the input."}], "source": {"advisory": "GHSA-3xq5-wjfh-ppjc", "discovery": "UNKNOWN"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:momentjs:luxon:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "D11AA49A-C83C-4BE7-8F35-A0B653A4600C", "versionEndExcluding": "1.28.1", "versionStartIncluding": "1.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:momentjs:luxon:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "E5B6E3EF-4FF5-4BD3-9DE6-D81C49DB16AB", "versionEndExcluding": "2.5.2", "versionStartIncluding": "2.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:momentjs:luxon:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "D29FCF30-14B9-4943-9164-E395080794BE", "versionEndExcluding": "3.2.1", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Luxon is a library for working with dates and times in JavaScript. On the 1.x branch prior to 1.38.1, the 2.x branch prior to 2.5.2, and the 3.x branch on 3.2.1, Luxon's `DateTime.fromRFC2822() has quadratic (N^2) complexity on some specific inputs. This causes a noticeable slowdown for inputs with lengths above 10k characters. Users providing untrusted data to this method are therefore vulnerable to (Re)DoS attacks. This issue also appears in Moment as CVE-2022-31129. Versions 1.38.1, 2.5.2, and 3.2.1 contain patches for this issue. As a workaround, limit the length of the input."}, {"lang": "es", "value": "Luxon es una librer\u00eda para trabajar con fechas y horas en JavaScript. En la rama 1.x anterior a 1.38.1, la rama 2.x anterior a 2.5.2 y la rama 3.x en 3.2.1, `DateTime.fromRFC2822() de Luxon tiene complejidad cuadr\u00e1tica (N^2) en algunas entradas espec\u00edficas. Esto provoca una notable desaceleraci\u00f3n en las entradas con longitudes superiores a 10 000 caracteres. Por lo tanto, los usuarios que proporcionan datos no confiables a este m\u00e9todo son vulnerables a ataques (Re)DoS. Este problema tambi\u00e9n aparece en Moment como CVE-2022-31129. Las versiones 1.38.1, 2.5.2 y 3.2.1 contienen parches para este problema. Como workaround, limite la longitud de la entrada."}], "id": "CVE-2023-22467", "lastModified": "2024-02-12T04:15:07.610", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-01-04T22:15:09.357", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/moment/luxon/commit/5ab3bf64a10da929a437629cdb2f059bb83212bf"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/moment/luxon/security/advisories/GHSA-3xq5-wjfh-ppjc"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/moment/moment/pull/6015#issuecomment-1152961973"}, {"source": "security-advisories@github.com", "tags": ["Not Applicable", "Third Party Advisory"], "url": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/44I3WAJKYXDLOVYRGMHAUXMIV4SPFXDZ/"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4LIVOASKBQH7FEUI5RWM3SOHR6VK7ZZR/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1333"}], "source": "security-advisories@github.com", "type": "Primary"}]}