CVE-2022-31129 in Oracle Utilities Application Frameworkinfo

Summary

moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.

Responsible

GitHub, Inc.

Reservation

05/18/2022

Disclosure

07/06/2022

Entries

VulDB provides additional information and datapoints for this CVE:

ID	Vulnerability	CWE	Exp	Cou	CVE
242821	Oracle Utilities Application Framework General denial of service	404	Not defined	Official fix	CVE-2022-31129
234693	Oracle Banking Digital Experience UI General denial of service	404	Not defined	Official fix	CVE-2022-31129
234664	Oracle Banking APIs IDM - Authentication denial of service	404	Not defined	Official fix	CVE-2022-31129
226414	Oracle Communications Services Gatekeeper Third Party denial of service	404	Not defined	Official fix	CVE-2022-31129
218807	Oracle PeopleSoft Enterprise PeopleTools Elastic Search denial of service	404	Not defined	Official fix	CVE-2022-31129
218606	Oracle Communications Cloud Native Core Binding Support Function Install/Upgrade denial of service	404	Not defined	Official fix	CVE-2022-31129
211721	Oracle Utilities Testing Accelerator Tools denial of service	404	Not defined	Official fix	CVE-2022-31129
211613	Oracle MySQL Enterprise Monitor denial of service	404	Not defined	Official fix	CVE-2022-31129
211584	Oracle Hospitality Suite8 Webconnect denial of service	404	Not defined	Official fix	CVE-2022-31129
211510	Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition User denial of service	404	Not defined	Official fix	CVE-2022-31129
211509	Oracle Financial Services Model Management and Governance Installer denial of service	404	Not defined	Official fix	CVE-2022-31129
211506	Oracle Financial Services Enterprise Case Management Installer denial of service	404	Not defined	Official fix	CVE-2022-31129
211505	Oracle Financial Services Behavior Detection Platform User denial of service	404	Not defined	Official fix	CVE-2022-31129
211504	Oracle Financial Services Analytical Applications Infrastructure Others denial of service	404	Not defined	Official fix	CVE-2022-31129
211486	Oracle Primavera Unifier User denial of service	404	Not defined	Official fix	CVE-2022-31129
211484	Oracle Primavera Gateway Admin denial of service	404	Not defined	Official fix	CVE-2022-31129
211392	Oracle Communications Design Studio PSR Designer denial of service	404	Not defined	Official fix	CVE-2022-31129
211390	Oracle Communications Billing and Revenue Management Billing Care denial of service	404	Not defined	Official fix	CVE-2022-31129
203300	moment String-to-Date resource consumption	400	Not defined	Official fix	CVE-2022-31129

Description

CPE

CWE

CVSS

Exploits

History

Diff

Relate

Threat Intelligence

API JSON

API XML

API CSV

◂ PreviousOverviewNext ▸

Do you want to use VulDB in your project?

Use the official API to access entries easily!