CVE-2022-24785
security vulnerability vulnerability in moment (npm)
What is CVE-2022-24785 About?
HashiCorp Vault and Vault Enterprise are affected by a security vulnerability that may inadvertently include Groups in an Entity's membership that the Entity no longer has permissions to. This can lead to unintended privilege retention or escalation within the access control system. Exploitation depends on specific circumstances and is not necessarily straightforward.
Affected Software
- moment
- <2.29.2
- Moment.js
- <2.29.2
Technical Details
The vulnerability in HashiCorp Vault and Vault Enterprise versions 0.9.0 through 1.3.3 involves an issue where an Entity's Group membership incorrectly retains or includes Groups for which the Entity no longer possesses permissions. This occurs 'under certain circumstances,' implying a race condition, an incomplete cleanup process, or a misconfiguration in how Group memberships are refreshed or revoked. The core mechanism is a failure in the authorization system to correctly synchronize an Entity's effective group memberships with its current, legitimate permissions. This leads to privilege retention, where an Entity might still be treated as a member of a Group even after its entitlements to that Group have been removed.
What is the Impact of CVE-2022-24785?
Successful exploitation may allow attackers to retain unauthorized group permissions, access sensitive resources, or perform privileged actions they should no longer be able to, leading to privilege escalation or unauthorized data access.
What is the Exploitability of CVE-2022-24785?
Exploitation complexity is likely medium to high, as it depends on 'certain circumstances' and the specific timing or sequence of events that lead to the group membership inconsistency. Prerequisites would involve the attacker having previously been a member of a group and then having those permissions revoked, or identifying a scenario where an entity's group membership is not properly updated. This would require authenticated access to Vault. The attack could be local or remote, depending on how Vault is accessed. No specific privilege requirements are noted beyond legitimate user or entity interaction with Vault's access control system. The primary risk factor is the potential for stale permissions to grant unintended ongoing access.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| pS3ud0RAnD0m | Link | Moment.js vuln lab |
What are the Available Fixes for CVE-2022-24785?
About the Fix from Resolved Security
The patch introduces a function to validate locale names, blocking inputs that contain slashes or backslashes, which could resemble filesystem paths. This prevents path traversal attacks that could allow arbitrary file loading, thereby fixing vulnerability CVE-2022-24785 by ensuring only safe locale names are processed.
Available Upgrade Options
- Moment.js
- <2.29.2 → Upgrade to 2.29.2
- moment
- <2.29.2 → Upgrade to 2.29.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5
- https://security.netapp.com/advisory/ntap-20220513-0006
- https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html
- https://osv.dev/vulnerability/GHSA-8hfj-j24r-96c4
- https://nvd.nist.gov/vuln/detail/CVE-2022-24785
- https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4
- https://github.com/moment/moment
- https://www.tenable.com/security/tns-2022-09
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/
- https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html
What are Similar Vulnerabilities to CVE-2022-24785?
Similar Vulnerabilities: CVE-2024-2048 , CVE-2020-16250 , CVE-2020-13490 , CVE-2021-38290 , CVE-2021-39294
