Name of the Vulnerable Software and Affected Versions moment-timezone versions prior to 0.5.35

Description The issue arises when using grunt data or grunt release to prepare a custom build of moment-timezone with the latest tzdata from IANA's website. If an attacker intercepts the request to IANA's unencrypted ftp server, they can potentially serve malicious data to exploit further stages of the moment-timezone tzdata pipeline or produce a tainted version of moment-timezone.

Recommendations For versions prior to 0.5.35, update to version 0.5.35 or apply the patch that changes the FTP endpoint to an HTTPS endpoint. As a temporary workaround, specify the exact version of tzdata (e.g., 2014d) and run the rest of the release tasks manually. Alternatively, apply the patch before issuing the grunt command.