Is CA PAM affected by Moment.js and ExtJS vulnerabilitiesvulnerabilities (CWE-937) ?
search cancel

Is CA PAM affected by Moment.js and ExtJS vulnerabilitiesvulnerabilities (CWE-937) ?

book

Article ID: 281919

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Certain security scanners will report CA PAM to be vulnerable to moment.js Javascript library.

The present article discusses the vulnerabilities that might impact CA PAM up to version 4.1.7 with javascript library moment.js and whether the product is affected by them or not

Environment

CA PAM all versions up to at least the current one, 4.1.7

Resolution

CVE-2022-24785:  This is a vulnerability that existed in certain versions of the popular JavaScript library moment.js. This library is widely used for parsing, manipulating, and formatting dates and times in Node.js applications. The vulnerability falls under the category of Path Traversal, which could potentially allow attackers to access unauthorized files or execute malicious code on the server. An attacker could exploit this vulnerability by providing a specially crafted locale string as input to the moment.js library function responsible for switching locales.

PAM is not impacted by this vulnerability as locale is never passed to moment js.

CVE-2017-18214: This is a vulnerability that existed in older versions of the moment.js library, a popular JavaScript library used for parsing, manipulating, and formatting dates and times in Node.js applications. This vulnerability falls under the category of Regular Expression Denial-of-Service (ReDoS). The duration function within the moment.js library parses and represents durations of time. This function relies on regular expressions to process user-provided input representing the duration. The vulnerability stemmed from an inefficiently crafted regular expression within the duration function.

PAM only support a set of date and time standards. So, it is not impacted by this vulnerability.

CVE-2018-8046: This is a vulnerability that existed in certain versions of Sencha Ext JS, a popular JavaScript framework for building rich web applications. This vulnerability falls under the category of Cross-Site Scripting (XSS). The getTip() method of Action Columns in Ext JS is used to display tooltip information for specific actions within a data grid. This vulnerability stemmed from the way getTip() handled user-controlled data. Even if developers escaped the data before passing it to getTip(), the method itself would unintentionally un-escape the data. An attacker could exploit this by injecting malicious scripts into the tooltip content. If a user hovered over the compromised action column, the malicious script could be executed in their browser, potentially leading to a variety of attacks like stealing session cookies, injecting fake content, or redirecting users to malicious websites.

PAM is not impacted by this vulnerability as we do sanitize the input that is shown in the tool tip.

Powered by Wolken Software