NodeJS/crumb/0.1.2

CSRF crumb generation and validation plugin

https://www.npmjs.com/package/crumb
BSD

2 Security Vulnerabilities

CORS Token Disclosure in crumb

Published date: 2017-10-24T18:33:36Z
CVE: CVE-2014-7193
Links:

When CORS is enabled on a hapi route handler, it is possible to set a crumb token for a different domain. An attacker would need to have an application consumer visit a site they control, request a route supporting CORS, and then retrieve the token. With this token, they could possibly make requests to non CORS routes as this user.

A configuration and scenario where this would occur is unlikely, as most configurations will set CORS globally (where crumb is not used), or not at all.

Recommendation

Update to version 3.0.0 or greater.

Affected versions: ["0.0.1", "0.0.2", "0.0.3", "0.0.4", "0.0.5", "0.0.6", "0.0.7", "0.0.8", "0.0.9", "0.1.0", "0.1.1", "0.1.2", "0.1.3", "0.2.0", "0.3.0", "0.3.1", "0.3.2", "1.0.0", "1.1.0", "1.1.1", "1.1.2", "2.0.0", "2.1.0", "2.2.0"]
Secure versions: [3.0.0, 3.0.1, 3.1.0, 3.2.0, 3.3.0, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 5.0.0, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 7.0.0, 7.1.0, 6.1.0, 7.2.1, 7.2.0, 7.2.2, 7.2.3]
Recommendation: Update to version 7.2.3.

CORS Token Disclosure

Published date: 2014-08-01
CVEs: ["CVE-2014-7193"]
CVSS Score: 5.4
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
Coordinating vendor: ^Lift Security
Links:

When CORS is enabled on a hapi route handler, it is possible to set a crumb token for a different domain. An attacker would need to have an application consumer visit a site they control, request a route supporting CORS, and then retrieve the token. With this token, they could possibly make requests to non CORS routes as this user.

A configuration and scenario where this would occur is unlikely, as most configurations will set CORS globally (where crumb is not used), or not at all.

Affected versions: ["0.0.1", "0.0.2", "0.0.3", "0.0.4", "0.0.5", "0.0.6", "0.0.7", "0.0.8", "0.0.9", "0.1.0", "0.1.1", "0.1.2", "0.1.3", "0.2.0", "0.3.0", "0.3.1", "0.3.2", "1.0.0", "1.1.0", "1.1.1", "1.1.2", "2.0.0", "2.1.0", "2.2.0"]
Secure versions: [3.0.0, 3.0.1, 3.1.0, 3.2.0, 3.3.0, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 5.0.0, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 7.0.0, 7.1.0, 6.1.0, 7.2.1, 7.2.0, 7.2.2, 7.2.3]
Recommendation: Update to a version 3.0.0 or greater.

46 Other Versions

Version License Security Released
7.2.3 BSD-3-Clause 2018-11-13 - 17:57 over 5 years
7.2.2 BSD-3-Clause 2018-11-06 - 19:08 over 5 years
7.2.1 BSD-3-Clause 2018-10-08 - 19:01 over 5 years
7.2.0 BSD-3-Clause 2018-10-08 - 19:02 over 5 years
7.1.0 BSD-3-Clause 2018-04-23 - 15:22 about 6 years
7.0.0 BSD-3-Clause 2017-11-29 - 22:08 over 6 years
6.1.0 BSD-3-Clause 2018-04-23 - 15:27 about 6 years
6.0.3 BSD-3-Clause 2016-08-12 - 17:50 over 7 years
6.0.2 BSD-3-Clause 2016-06-30 - 04:52 almost 8 years
6.0.1 BSD-3-Clause 2016-05-12 - 20:17 almost 8 years
6.0.0 BSD-3-Clause 2016-01-15 - 19:13 over 8 years
5.0.0 BSD 2015-10-26 - 19:38 over 8 years
4.0.4 BSD 2015-09-24 - 13:06 over 8 years
4.0.3 BSD 2015-02-26 - 14:45 about 9 years
4.0.2 BSD 2015-02-13 - 05:03 about 9 years
4.0.1 BSD 2015-02-05 - 14:08 about 9 years
4.0.0 BSD 2014-12-10 - 13:44 over 9 years
3.3.0 BSD 2014-10-01 - 12:23 over 9 years
3.2.0 BSD 2014-09-23 - 11:34 over 9 years
3.1.0 BSD 2014-08-05 - 14:41 over 9 years
3.0.1 BSD 2014-08-03 - 05:16 over 9 years
3.0.0 BSD 2014-07-31 - 20:05 over 9 years
2.2.0 BSD 2 2014-05-27 - 13:39 almost 10 years
2.1.0 BSD 2 2014-05-21 - 16:04 almost 10 years
2.0.0 BSD 2 2014-04-11 - 19:03 about 10 years
1.1.2 BSD 2 2014-03-21 - 00:42 about 10 years
1.1.1 BSD 2 2014-03-11 - 03:06 about 10 years
1.1.0 BSD 2 2014-03-07 - 18:53 about 10 years
1.0.0 BSD 2 2014-01-09 - 08:14 over 10 years
0.3.2 BSD 2 2013-11-21 - 16:54 over 10 years
0.3.1 BSD 2 2013-07-13 - 21:08 almost 11 years
0.3.0 BSD 2 2013-04-30 - 20:11 almost 11 years
0.2.0 BSD 2 2013-04-03 - 08:07 about 11 years
0.1.3 BSD 2 2013-03-06 - 07:25 about 11 years
0.1.2 BSD 2 2013-03-05 - 23:59 about 11 years
0.1.1 BSD 2 2013-03-05 - 23:47 about 11 years
0.1.0 BSD 2 2013-03-04 - 22:00 about 11 years
0.0.9 BSD 2 2013-02-20 - 06:55 about 11 years
0.0.8 BSD 2 2013-02-17 - 04:10 about 11 years
0.0.7 BSD 2 2013-02-17 - 02:17 about 11 years
0.0.6 BSD 2 2013-02-15 - 07:29 about 11 years
0.0.5 BSD 2 2013-02-15 - 07:02 about 11 years
0.0.4 BSD 2 2013-02-10 - 07:19 about 11 years
0.0.3 BSD 2 2013-02-08 - 23:17 about 11 years
0.0.2 BSD 2 2013-02-08 - 15:31 about 11 years
0.0.1 BSD 2 2013-02-08 - 08:47 about 11 years