CVE-2016-4055 : The duration function in the moment package before 2.11.2 for Node.js allows rem

The duration function in the moment package before 2.11.2 for Node.js allows remote attackers to cause a denial of service (CPU consumption) via a long string, aka a "regular expression Denial of Service (ReDoS)."

Published 2017-01-23 21:59:01

Updated 2022-06-06 17:18:07

Source MITRE

View at NVD, CVE.org

Vulnerability category: Denial of service

Products affected by CVE-2016-4055

Oracle » Primavera Unifier
Versions from including (>=) 16.0 and up to, including, (<=) 18.8.4
cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*
Matching versions
Tenable » Nessus
Versions up to, including, (<=) 8.2.3
cpe:2.3:a:tenable:nessus:*:*:*:*:*:*:*:*
Matching versions
Momentjs » Moment » For Node.js
Versions before (<) 2.11.2
cpe:2.3:a:momentjs:moment:*:*:*:*:*:node.js:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2016-4055

EPSS FAQ

3.50%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 87 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2016-4055

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.8	HIGH	AV:N/AC:L/Au:N/C:N/I:N/A:C	10.0	6.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete
6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H	2.8	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2016-4055

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2016-4055

https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731@%3Cdev.flink.apache.org%3E

Apache flink 1.7.2 security issues - Pony Mail
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2@%3Cuser.flink.apache.org%3E

Re: Apache flink 1.7.2 security issues - Pony Mail
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854@%3Cuser.flink.apache.org%3E

Apache flink 1.7.2 security issues - Pony Mail
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49@%3Cuser.flink.apache.org%3E

Apache flink 1.7.2 security issues - Pony Mail
Mailing List;Third Party Advisory

CVEs referencing this url
http://www.securityfocus.com/bid/95849

Moment.js CVE-2016-4055 Remote Denial of Service Vulnerability
Third Party Advisory;VDB Entry
https://www.tenable.com/security/tns-2019-02

[R1] Nessus 8.3.0 Fixes Multiple Third-party Vulnerabilities - Security Advisory | Tenable®
Patch;Third Party Advisory

CVEs referencing this url
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

CPU July 2018
Patch;Third Party Advisory

CVEs referencing this url
https://nodesecurity.io/advisories/55

npm
Broken Link;Exploit;Vendor Advisory
http://www.openwall.com/lists/oss-security/2016/04/20/11

oss-security - various vulnerabilities in Node.js packages
Mailing List;Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2016-4055

Products affected by CVE-2016-4055

Exploit prediction scoring system (EPSS) score for CVE-2016-4055

CVSS scores for CVE-2016-4055

CWE ids for CVE-2016-4055

References for CVE-2016-4055