NodeJS/hapi/11.1.3

HTTP Server framework

https://www.npmjs.com/package/hapi
BSD-3-Clause

3 Security Vulnerabilities

Denial of Service in hapi

Published date: 2020-09-03T15:48:00Z
Links:

All Versions of hapi are vulnerable to Denial of Service. The CORS request handler has a vulnerability which will cause the function to throw a system error if the header contains some invalid values. If no unhandled exception handler is available, the application will exist, allowing an attacker to shut down services.

Recommendation

This package is deprecated and is now maintained as @hapi/hapi. Please update your dependencies to use @hapi/hapi.

Affected versions: ["0.0.1", "0.0.2", "0.0.3", "0.0.4", "0.0.5", "0.0.6", "0.1.0", "0.1.1", "0.1.2", "0.1.3", "0.2.0", "0.2.1", "0.3.0", "0.4.0", "0.4.1", "0.4.2", "0.4.3", "0.4.4", "0.5.0", "0.5.1", "0.6.0", "0.6.1", "0.5.2", "0.7.0", "0.7.1", "0.8.0", "0.8.1", "0.8.2", "0.8.3", "0.8.4", "0.9.0", "0.9.1", "0.9.2", "0.10.0", "0.10.1", "0.11.0", "0.11.1", "0.11.2", "0.11.3", "0.12.0", "0.13.0", "0.13.1", "0.13.2", "0.11.4", "0.13.3", "0.14.0", "0.14.1", "0.14.2", "0.15.0", "0.15.1", "0.15.2", "0.15.3", "0.15.4", "0.15.5", "0.15.6", "0.15.7", "0.15.8", "0.15.9", "0.16.0", "1.0.0", "1.0.1", "1.0.2", "1.0.3", "1.1.0", "1.2.0", "1.3.0", "1.4.0", "1.5.0", "1.6.0", "1.6.1", "1.6.2", "1.7.0", "1.7.1", "1.7.2", "1.7.3", "1.8.0", "1.8.1", "1.8.2", "1.8.3", "1.9.0", "1.9.1", "1.9.2", "1.9.3", "1.9.4", "1.9.5", "1.9.6", "1.9.7", "1.10.0", "1.11.0", "1.11.1", "1.12.0", "1.13.0", "1.14.0", "1.15.0", "1.16.0", "1.16.1", "1.17.0", "1.18.0", "1.19.0", "1.19.1", "1.19.2", "1.19.3", "1.19.4", "1.19.5", "1.20.0", "2.0.0-preview", "0.5.1-a", "0.5.1-b", "0.5.1-b2", "0.5.1-c", "2.0.0", "2.1.0", "2.1.1", "2.1.2", "2.2.0", "2.3.0", "2.4.0", "2.5.0", "2.6.0", "3.0.0", "3.0.1", "3.0.2", "3.1.0", "4.0.0", "4.0.1", "4.0.2", "4.0.3", "4.1.0", "4.1.1", "4.1.2", "4.1.3", "4.1.4", "5.0.0", "5.1.0", "6.0.0", "6.0.1", "6.0.2", "6.1.0", "6.2.0", "6.2.1", "6.2.2", "6.3.0", "6.4.0", "6.5.0", "6.5.1", "6.6.0", "6.7.0", "6.7.1", "6.8.0", "6.8.1", "6.9.0", "6.10.0", "6.11.0", "6.11.1", "7.0.0", "7.0.1", "7.1.0", "7.1.1", "7.2.0", "7.3.0", "7.4.0", "7.5.0", "7.5.1", "7.5.2", "8.0.0", "7.5.3", "8.1.0", "8.2.0", "8.3.0", "8.3.1", "8.4.0", "8.5.0", "8.5.1", "8.5.2", "8.5.3", "8.6.0", "8.6.1", "8.8.0", "8.8.1", "9.0.0", "9.0.1", "9.0.2", "9.0.3", "9.0.4", "9.1.0", "9.2.0", "9.3.0", "9.3.1", "10.0.0", "10.0.1", "10.1.0", "10.2.1", "10.4.0", "10.4.1", "10.5.0", "11.0.0", "11.0.1", "11.0.2", "11.0.3", "11.0.4", "11.0.5", "11.1.0", "11.1.1", "11.1.2", "11.1.3", "11.1.4", "12.0.0", "12.0.1", "12.1.0", "9.5.1", "13.0.0", "13.1.0", "13.2.0", "13.2.1", "13.2.2", "13.3.0", "13.4.0", "13.4.1", "13.4.2", "13.5.0", "14.0.0", "13.5.3", "14.1.0", "14.2.0", "15.0.1", "15.0.2", "15.0.3", "15.1.0", "15.1.1", "15.2.0", "16.0.0", "16.0.1", "16.0.2", "16.0.3", "16.1.0", "16.1.1", "16.2.0", "16.3.0", "16.3.1", "16.4.0", "16.4.1", "16.4.2", "16.4.3", "16.5.0", "16.5.1", "16.5.2", "16.6.0", "16.6.1", "16.6.2", "17.0.0-rc1", "17.0.0-rc2", "17.0.0-rc3", "17.0.0-rc4", "17.0.0-rc6", "17.0.0-rc8", "17.0.0-rc9", "17.0.0-rc10", "17.0.0", "17.0.1", "17.0.2", "17.1.0", "17.1.1", "17.2.0", "17.2.1", "16.6.3", "17.2.2", "17.2.3", "17.3.0", "17.3.1", "17.4.0", "17.5.0", "17.5.1", "17.5.2", "17.5.3", "17.5.4", "17.5.5", "17.6.0", "17.6.1", "17.6.2", "17.6.3", "16.6.4", "17.6.4", "16.6.5", "17.7.0", "16.7.0", "17.8.0", "17.8.1", "18.0.0", "17.8.2", "17.8.3", "18.0.1", "17.8.4", "18.1.0", "17.8.5", "16.8.4"]
Secure versions: []

Unsafe Merging of CORS Configuration Conflict in hapi

Published date: 2020-09-01T15:20:00Z
CVE: CVE-2015-9243
Links:

Versions of hapi prior to 11.1.4 are affected by a vulnerability that causes route-level CORS configuration to override connection-level or server-level CORS defaults. This may result in a situation where CORS permissions are less restrictive than intended.

Recommendation

Update hapi to version 11.1.4 or later.

Affected versions: ["0.0.1", "0.0.2", "0.0.3", "0.0.4", "0.0.5", "0.0.6", "0.1.0", "0.1.1", "0.1.2", "0.1.3", "0.2.0", "0.2.1", "0.3.0", "0.4.0", "0.4.1", "0.4.2", "0.4.3", "0.4.4", "0.5.0", "0.5.1", "0.6.0", "0.6.1", "0.5.2", "0.7.0", "0.7.1", "0.8.0", "0.8.1", "0.8.2", "0.8.3", "0.8.4", "0.9.0", "0.9.1", "0.9.2", "0.10.0", "0.10.1", "0.11.0", "0.11.1", "0.11.2", "0.11.3", "0.12.0", "0.13.0", "0.13.1", "0.13.2", "0.11.4", "0.13.3", "0.14.0", "0.14.1", "0.14.2", "0.15.0", "0.15.1", "0.15.2", "0.15.3", "0.15.4", "0.15.5", "0.15.6", "0.15.7", "0.15.8", "0.15.9", "0.16.0", "1.0.0", "1.0.1", "1.0.2", "1.0.3", "1.1.0", "1.2.0", "1.3.0", "1.4.0", "1.5.0", "1.6.0", "1.6.1", "1.6.2", "1.7.0", "1.7.1", "1.7.2", "1.7.3", "1.8.0", "1.8.1", "1.8.2", "1.8.3", "1.9.0", "1.9.1", "1.9.2", "1.9.3", "1.9.4", "1.9.5", "1.9.6", "1.9.7", "1.10.0", "1.11.0", "1.11.1", "1.12.0", "1.13.0", "1.14.0", "1.15.0", "1.16.0", "1.16.1", "1.17.0", "1.18.0", "1.19.0", "1.19.1", "1.19.2", "1.19.3", "1.19.4", "1.19.5", "1.20.0", "2.0.0-preview", "0.5.1-a", "0.5.1-b", "0.5.1-b2", "0.5.1-c", "2.0.0", "2.1.0", "2.1.1", "2.1.2", "2.2.0", "2.3.0", "2.4.0", "2.5.0", "2.6.0", "3.0.0", "3.0.1", "3.0.2", "3.1.0", "4.0.0", "4.0.1", "4.0.2", "4.0.3", "4.1.0", "4.1.1", "4.1.2", "4.1.3", "4.1.4", "5.0.0", "5.1.0", "6.0.0", "6.0.1", "6.0.2", "6.1.0", "6.2.0", "6.2.1", "6.2.2", "6.3.0", "6.4.0", "6.5.0", "6.5.1", "6.6.0", "6.7.0", "6.7.1", "6.8.0", "6.8.1", "6.9.0", "6.10.0", "6.11.0", "6.11.1", "7.0.0", "7.0.1", "7.1.0", "7.1.1", "7.2.0", "7.3.0", "7.4.0", "7.5.0", "7.5.1", "7.5.2", "8.0.0", "7.5.3", "8.1.0", "8.2.0", "8.3.0", "8.3.1", "8.4.0", "8.5.0", "8.5.1", "8.5.2", "8.5.3", "8.6.0", "8.6.1", "8.8.0", "8.8.1", "9.0.0", "9.0.1", "9.0.2", "9.0.3", "9.0.4", "9.1.0", "9.2.0", "9.3.0", "9.3.1", "10.0.0", "10.0.1", "10.1.0", "10.2.1", "10.4.0", "10.4.1", "10.5.0", "11.0.0", "11.0.1", "11.0.2", "11.0.3", "11.0.4", "11.0.5", "11.1.0", "11.1.1", "11.1.2", "11.1.3", "9.5.1"]
Secure versions: []

Route level CORS config overrides connection level defaults

Published date: 2015-12-28
CVSS Score: 6.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Coordinating vendor: ^Lift Security
Links:

When server level, connection level or route level CORS configurations are combined and when a higher level config included security restrictions (like origin), a higher level config that included security restrictions (like origin) would have those restrictions overridden by less restrictive defaults (e.g. origin defaults to all origins *).

Affected versions: ["0.0.1", "0.0.2", "0.0.3", "0.0.4", "0.0.5", "0.0.6", "0.1.0", "0.1.1", "0.1.2", "0.1.3", "0.2.0", "0.2.1", "0.3.0", "0.4.0", "0.4.1", "0.4.2", "0.4.3", "0.4.4", "0.5.0", "0.5.1", "0.6.0", "0.6.1", "0.5.2", "0.7.0", "0.7.1", "0.8.0", "0.8.1", "0.8.2", "0.8.3", "0.8.4", "0.9.0", "0.9.1", "0.9.2", "0.10.0", "0.10.1", "0.11.0", "0.11.1", "0.11.2", "0.11.3", "0.12.0", "0.13.0", "0.13.1", "0.13.2", "0.11.4", "0.13.3", "0.14.0", "0.14.1", "0.14.2", "0.15.0", "0.15.1", "0.15.2", "0.15.3", "0.15.4", "0.15.5", "0.15.6", "0.15.7", "0.15.8", "0.15.9", "0.16.0", "1.0.0", "1.0.1", "1.0.2", "1.0.3", "1.1.0", "1.2.0", "1.3.0", "1.4.0", "1.5.0", "1.6.0", "1.6.1", "1.6.2", "1.7.0", "1.7.1", "1.7.2", "1.7.3", "1.8.0", "1.8.1", "1.8.2", "1.8.3", "1.9.0", "1.9.1", "1.9.2", "1.9.3", "1.9.4", "1.9.5", "1.9.6", "1.9.7", "1.10.0", "1.11.0", "1.11.1", "1.12.0", "1.13.0", "1.14.0", "1.15.0", "1.16.0", "1.16.1", "1.17.0", "1.18.0", "1.19.0", "1.19.1", "1.19.2", "1.19.3", "1.19.4", "1.19.5", "1.20.0", "2.0.0-preview", "0.5.1-a", "0.5.1-b", "0.5.1-b2", "0.5.1-c", "2.0.0", "2.1.0", "2.1.1", "2.1.2", "2.2.0", "2.3.0", "2.4.0", "2.5.0", "2.6.0", "3.0.0", "3.0.1", "3.0.2", "3.1.0", "4.0.0", "4.0.1", "4.0.2", "4.0.3", "4.1.0", "4.1.1", "4.1.2", "4.1.3", "4.1.4", "5.0.0", "5.1.0", "6.0.0", "6.0.1", "6.0.2", "6.1.0", "6.2.0", "6.2.1", "6.2.2", "6.3.0", "6.4.0", "6.5.0", "6.5.1", "6.6.0", "6.7.0", "6.7.1", "6.8.0", "6.8.1", "6.9.0", "6.10.0", "6.11.0", "6.11.1", "7.0.0", "7.0.1", "7.1.0", "7.1.1", "7.2.0", "7.3.0", "7.4.0", "7.5.0", "7.5.1", "7.5.2", "8.0.0", "7.5.3", "8.1.0", "8.2.0", "8.3.0", "8.3.1", "8.4.0", "8.5.0", "8.5.1", "8.5.2", "8.5.3", "8.6.0", "8.6.1", "8.8.0", "8.8.1", "9.0.0", "9.0.1", "9.0.2", "9.0.3", "9.0.4", "9.1.0", "9.2.0", "9.3.0", "9.3.1", "10.0.0", "10.0.1", "10.1.0", "10.2.1", "10.4.0", "10.4.1", "10.5.0", "11.0.0", "11.0.1", "11.0.2", "11.0.3", "11.0.4", "11.0.5", "11.1.0", "11.1.1", "11.1.2", "11.1.3", "9.5.1"]
Secure versions: []
Recommendation: You should install hapi v11.1.4 or newer if you combine server level, connection level, or route level CORS configuration.

295 Other Versions

Version License Security Released
18.1.0 BSD-3-Clause 1 2019-02-04 - 21:52 about 5 years
18.0.1 BSD-3-Clause 1 2019-01-31 - 20:14 about 5 years
18.0.0 BSD-3-Clause 1 2019-01-18 - 20:07 over 5 years
17.8.5 BSD-3-Clause 1 2019-03-19 - 01:21 about 5 years
17.8.4 BSD-3-Clause 1 2019-02-04 - 21:33 about 5 years
17.8.3 BSD-3-Clause 1 2019-01-31 - 20:11 about 5 years
17.8.2 BSD-3-Clause 1 2019-01-31 - 20:02 about 5 years
17.8.1 BSD-3-Clause 1 2018-11-23 - 04:19 over 5 years
17.8.0 BSD-3-Clause 1 2018-11-23 - 03:11 over 5 years
17.7.0 BSD-3-Clause 1 2018-11-06 - 00:50 over 5 years
17.6.4 BSD-3-Clause 1 2018-11-03 - 04:32 over 5 years
17.6.3 BSD-3-Clause 1 2018-11-02 - 17:56 over 5 years
17.6.2 BSD-3-Clause 1 2018-11-01 - 22:31 over 5 years
17.6.1 BSD-3-Clause 1 2018-11-01 - 22:26 over 5 years
17.6.0 BSD-3-Clause 1 2018-09-25 - 07:55 over 5 years
17.5.5 BSD-3-Clause 1 2018-09-23 - 06:01 over 5 years
17.5.4 BSD-3-Clause 1 2018-08-28 - 07:46 over 5 years
17.5.3 BSD-3-Clause 1 2018-08-02 - 00:17 over 5 years
17.5.2 BSD-3-Clause 1 2018-06-24 - 04:17 almost 6 years
17.5.1 BSD-3-Clause 1 2018-05-30 - 15:18 almost 6 years
17.5.0 BSD-3-Clause 1 2018-05-21 - 17:59 almost 6 years
17.4.0 BSD-3-Clause 1 2018-04-29 - 00:44 about 6 years
17.3.1 BSD-3-Clause 1 2018-04-02 - 19:18 about 6 years
17.3.0 BSD-3-Clause 1 2018-03-31 - 00:33 about 6 years
17.2.3 BSD-3-Clause 1 2018-03-16 - 05:38 about 6 years
17.2.2 BSD-3-Clause 1 2018-03-07 - 09:17 about 6 years
17.2.1 BSD-3-Clause 1 2018-03-01 - 09:45 about 6 years
17.2.0 BSD-3-Clause 1 2017-12-20 - 06:31 over 6 years
17.1.1 BSD-3-Clause 1 2017-11-23 - 19:08 over 6 years
17.1.0 BSD-3-Clause 1 2017-11-23 - 09:46 over 6 years
17.0.2 BSD-3-Clause 1 2017-11-21 - 07:25 over 6 years
17.0.1 BSD-3-Clause 1 2017-11-05 - 08:55 over 6 years
17.0.0 BSD-3-Clause 1 2017-11-03 - 22:30 over 6 years
17.0.0-rc10 BSD-3-Clause 1 2017-11-03 - 09:52 over 6 years
17.0.0-rc9 BSD-3-Clause 1 2017-10-22 - 08:56 over 6 years
17.0.0-rc8 BSD-3-Clause 1 2017-10-18 - 09:30 over 6 years
17.0.0-rc6 BSD-3-Clause 1 2017-10-07 - 09:42 over 6 years
17.0.0-rc4 BSD-3-Clause 1 2017-10-06 - 23:19 over 6 years
17.0.0-rc3 BSD-3-Clause 1 2017-10-06 - 09:13 over 6 years
17.0.0-rc2 BSD-3-Clause 1 2017-10-02 - 20:11 over 6 years
17.0.0-rc1 BSD-3-Clause 1 2017-09-28 - 19:24 over 6 years
16.8.4 SEE LICENSE IN LICENSE.md 1 2024-01-06 - 10:28 4 months
16.7.0 BSD-3-Clause 1 2018-11-06 - 03:27 over 5 years
16.6.5 BSD-3-Clause 1 2018-11-05 - 22:47 over 5 years
16.6.4 BSD-3-Clause 1 2018-11-02 - 21:52 over 5 years
16.6.3 BSD-3-Clause 1 2018-03-01 - 09:54 about 6 years
16.6.2 BSD-3-Clause 1 2017-09-25 - 20:37 over 6 years
16.6.1 BSD-3-Clause 1 2017-09-24 - 17:34 over 6 years
16.6.0 BSD-3-Clause 1 2017-09-12 - 19:36 over 6 years
16.5.2 BSD-3-Clause 1 2017-08-04 - 05:01 over 6 years
16.5.1 BSD-3-Clause 1 2017-08-04 - 00:11 over 6 years
16.5.0 BSD-3-Clause 1 2017-07-20 - 08:38 almost 7 years
16.4.3 BSD-3-Clause 1 2017-06-09 - 18:33 almost 7 years
16.4.2 BSD-3-Clause 1 2017-06-08 - 07:06 almost 7 years
16.4.1 BSD-3-Clause 1 2017-06-05 - 17:27 almost 7 years
16.4.0 BSD-3-Clause 1 2017-06-05 - 08:13 almost 7 years
16.3.1 BSD-3-Clause 1 2017-06-05 - 03:22 almost 7 years
16.3.0 BSD-3-Clause 1 2017-05-30 - 20:47 almost 7 years
16.2.0 BSD-3-Clause 1 2017-05-29 - 09:41 almost 7 years
16.1.1 BSD-3-Clause 1 2017-03-31 - 20:13 about 7 years
16.1.0 BSD-3-Clause 3 2016-12-29 - 22:03 over 7 years
16.0.3 BSD-3-Clause 3 2016-12-29 - 08:21 over 7 years
16.0.2 BSD-3-Clause 3 2016-12-19 - 08:38 over 7 years
16.0.1 BSD-3-Clause 3 2016-12-01 - 19:03 over 7 years
16.0.0 BSD-3-Clause 3 2016-11-30 - 00:40 over 7 years
15.2.0 BSD-3-Clause 3 2016-10-20 - 17:13 over 7 years
15.1.1 BSD-3-Clause 3 2016-09-27 - 20:58 over 7 years
15.1.0 BSD-3-Clause 3 2016-09-27 - 00:02 over 7 years
15.0.3 BSD-3-Clause 3 2016-09-01 - 00:07 over 7 years
15.0.2 BSD-3-Clause 3 2016-08-28 - 21:48 over 7 years
15.0.1 BSD-3-Clause 3 2016-08-26 - 23:44 over 7 years
14.2.0 BSD-3-Clause 1 2016-08-13 - 20:38 over 7 years
14.1.0 BSD-3-Clause 1 2016-08-01 - 19:28 over 7 years
14.0.0 BSD-3-Clause 1 2016-07-29 - 18:28 over 7 years
13.5.3 BSD-3-Clause 1 2016-07-29 - 18:57 over 7 years
13.5.0 BSD-3-Clause 1 2016-07-06 - 03:56 almost 8 years
13.4.2 BSD-3-Clause 1 2016-07-04 - 04:31 almost 8 years
13.4.1 BSD-3-Clause 1 2016-05-21 - 08:11 almost 8 years
13.4.0 BSD-3-Clause 1 2016-05-07 - 21:32 almost 8 years
13.3.0 BSD-3-Clause 1 2016-04-02 - 17:22 about 8 years
13.2.2 BSD-3-Clause 1 2016-03-25 - 16:50 about 8 years
13.2.1 BSD-3-Clause 1 2016-03-11 - 06:11 about 8 years
13.2.0 BSD-3-Clause 1 2016-03-11 - 06:07 about 8 years
13.1.0 BSD-3-Clause 1 2016-03-10 - 01:50 about 8 years
13.0.0 BSD-3-Clause 1 2016-02-01 - 08:16 about 8 years
12.1.0 BSD-3-Clause 1 2016-01-09 - 22:38 over 8 years
12.0.1 BSD-3-Clause 1 2016-01-06 - 19:32 over 8 years
12.0.0 BSD-3-Clause 1 2016-01-04 - 23:10 over 8 years
11.1.4 BSD-3-Clause 1 2015-12-27 - 16:15 over 8 years
11.1.3 BSD-3-Clause 3 2015-12-23 - 21:52 over 8 years
11.1.2 BSD-3-Clause 5 2015-11-21 - 22:30 over 8 years
11.1.1 BSD-3-Clause 5 2015-11-14 - 17:39 over 8 years
11.1.0 BSD-3-Clause 5 2015-11-05 - 08:51 over 8 years
11.0.5 BSD-3-Clause 5 2015-11-03 - 20:53 over 8 years
11.0.4 BSD-3-Clause 5 2015-11-03 - 08:14 over 8 years
11.0.3 BSD-3-Clause 5 2015-10-30 - 06:09 over 8 years
11.0.2 BSD-3-Clause 5 2015-10-21 - 15:42 over 8 years
11.0.1 BSD-3-Clause 5 2015-10-20 - 04:47 over 8 years
11.0.0 BSD-3-Clause 5 2015-10-16 - 19:30 over 8 years
10.5.0 BSD-3-Clause 7 2015-10-15 - 16:00 over 8 years