Name of the Vulnerable Software and Affected Versions moment-timezone versions 0.1.0 through 0.5.34

Description The issue concerns command injection vulnerabilities in moment-timezone. An attacker can execute arbitrary commands on the system running the grunt task with the same privileges as the grunt task. This can occur when a third party is allowed to specify the version of moment-timezone to be built. The tasks/data-download.js, tasks/data-zdump.js, and tasks/data-zic.js scripts are vulnerable to command injection. For example, an attacker can influence the command line by providing additional content, such as grunt 'data-download:2014d ; echo flag>/tmp/foo #', allowing them to execute arbitrary code. The tasks/data-zdump.js script reads a list of files from a temporary directory and executes a command line without sanitization, allowing an attacker to gain code execution by influencing the contents of that directory. The tasks/data-zic.js script takes a version from the command line and uses it as part of a command line, executed without sanitization, allowing an attacker to run arbitrary commands.

Recommendations For moment-timezone versions 0.1.0 through 0.5.34, apply the supplied patch that switches exec to execFile to prevent arbitrary bash fragments from being executed. As a temporary workaround, consider disabling the grunt task until a patch is available. Restrict access to the tasks/data-download.js, tasks/data-zdump.js, and tasks/data-zic.js scripts to minimize the risk of exploitation. Avoid using the version parameter in the affected API endpoints until the issue is resolved.