CVE-2020-26289 - OpenCVE

date-and-time is an npm package for manipulating date and time. In date-and-time before version 0.14.2, there a regular expression involved in parsing which can be exploited to to cause a denial of service. This is fixed in version 0.14.2.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Date-and-time Project	Date-and-time
Redhat	Openshift Container Storage

Configuration 1 [-]

cpe:2.3:a:date-and-time_project:date-and-time:*:*:*:*:*:node.js:*:*

Package	CPE	Advisory	Released Date
Red Hat OpenShift Container Storage 4.7.0 on RHEL-8
ocs4/mcg-core-rhel8:5.7.0-60.2c1fdb0.5.7	cpe:/a:redhat:openshift_container_storage:4.7::el8	RHSA-2021:2041	2021-05-19T00:00:00Z

References

Link	Providers
https://github.com/advisories/GHSA-r92x-f52r-x54g
https://github.com/knowledgecode/date-and-time/commit/9e4b501eacddccc8b1f559fb414f48472ee17c2a
https://github.com/knowledgecode/date-and-time/security/advisories/GHSA-r92x-f52r-x54g
https://nvd.nist.gov/vuln/detail/CVE-2020-26289
https://www.cve.org/CVERecord?id=CVE-2020-26289
https://www.npmjs.com/advisories/1592
https://www.npmjs.com/package/date-and-time

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-12-28T18:50:15

Updated: 2024-08-04T15:56:04.321Z

Reserved: 2020-10-01T00:00:00

Link: CVE-2020-26289

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-12-28T19:15:12.907

Modified: 2020-12-30T15:51:17.230

Link: CVE-2020-26289

Redhat

Severity : Moderate

Publid Date: 2020-12-24T00:00:00Z

Links: CVE-2020-26289 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "date-and-time", "vendor": "knowledgecode", "versions": [{"status": "affected", "version": "< 0.14.2"}]}], "descriptions": [{"lang": "en", "value": "date-and-time is an npm package for manipulating date and time. In date-and-time before version 0.14.2, there a regular expression involved in parsing which can be exploited to to cause a denial of service. This is fixed in version 0.14.2."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-12-28T18:50:15", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/knowledgecode/date-and-time/security/advisories/GHSA-r92x-f52r-x54g"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/knowledgecode/date-and-time/commit/9e4b501eacddccc8b1f559fb414f48472ee17c2a"}, {"tags": ["x_refsource_MISC"], "url": "https://www.npmjs.com/package/date-and-time"}], "source": {"advisory": "GHSA-r92x-f52r-x54g", "discovery": "UNKNOWN"}, "title": "Regular expression Denial of Service in date-and-time", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-26289", "STATE": "PUBLIC", "TITLE": "Regular expression Denial of Service in date-and-time"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "date-and-time", "version": {"version_data": [{"version_value": "< 0.14.2"}]}}]}, "vendor_name": "knowledgecode"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "date-and-time is an npm package for manipulating date and time. In date-and-time before version 0.14.2, there a regular expression involved in parsing which can be exploited to to cause a denial of service. This is fixed in version 0.14.2."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-400: Uncontrolled Resource Consumption"}]}]}, "references": {"reference_data": [{"name": "https://github.com/knowledgecode/date-and-time/security/advisories/GHSA-r92x-f52r-x54g", "refsource": "CONFIRM", "url": "https://github.com/knowledgecode/date-and-time/security/advisories/GHSA-r92x-f52r-x54g"}, {"name": "https://github.com/knowledgecode/date-and-time/commit/9e4b501eacddccc8b1f559fb414f48472ee17c2a", "refsource": "MISC", "url": "https://github.com/knowledgecode/date-and-time/commit/9e4b501eacddccc8b1f559fb414f48472ee17c2a"}, {"name": "https://www.npmjs.com/package/date-and-time", "refsource": "MISC", "url": "https://www.npmjs.com/package/date-and-time"}]}, "source": {"advisory": "GHSA-r92x-f52r-x54g", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T15:56:04.321Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/knowledgecode/date-and-time/security/advisories/GHSA-r92x-f52r-x54g"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/knowledgecode/date-and-time/commit/9e4b501eacddccc8b1f559fb414f48472ee17c2a"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.npmjs.com/package/date-and-time"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-26289", "datePublished": "2020-12-28T18:50:15", "dateReserved": "2020-10-01T00:00:00", "dateUpdated": "2024-08-04T15:56:04.321Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:date-and-time_project:date-and-time:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "E2BDED94-23BF-417B-8EAB-47051D12BD0A", "versionEndExcluding": "0.14.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "date-and-time is an npm package for manipulating date and time. In date-and-time before version 0.14.2, there a regular expression involved in parsing which can be exploited to to cause a denial of service. This is fixed in version 0.14.2."}, {"lang": "es", "value": "date-and-time es un paquete npm para manipular la fecha y la hora. En date-and-time versi\u00f3n anterior a 0.14.2, se presenta una expresi\u00f3n regular involucrada en el an\u00e1lisis que puede ser explotada para causar una denegaci\u00f3n de servicio. Esto es corregido en la versi\u00f3n 0.14.2"}], "id": "CVE-2020-26289", "lastModified": "2020-12-30T15:51:17.230", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2020-12-28T19:15:12.907", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/knowledgecode/date-and-time/commit/9e4b501eacddccc8b1f559fb414f48472ee17c2a"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/knowledgecode/date-and-time/security/advisories/GHSA-r92x-f52r-x54g"}, {"source": "security-advisories@github.com", "tags": ["Product", "Third Party Advisory"], "url": "https://www.npmjs.com/package/date-and-time"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Primary"}]}