NodeJS/hapi/11.1.3

HTTP Server framework

Repo Link: https://www.npmjs.com/package/hapi
License: BSD-3-Clause

3 Security Vulnerabilities

Denial of Service in hapi

Published date: 2020-09-03T15:48:00Z

Links:

All Versions of hapi are vulnerable to Denial of Service. The CORS request handler has a vulnerability which will cause the function to throw a system error if the header contains some invalid values. If no unhandled exception handler is available, the application will exist, allowing an attacker to shut down services.

Recommendation

This package is deprecated and is now maintained as @hapi/hapi. Please update your dependencies to use @hapi/hapi.

Affected versions: ["0.0.1", "0.0.2", "0.0.3", "0.0.4", "0.0.5", "0.0.6", "0.1.0", "0.1.1", "0.1.2", "0.1.3", "0.2.0", "0.2.1", "0.3.0", "0.4.0", "0.4.1", "0.4.2", "0.4.3", "0.4.4", "0.5.0", "0.5.1", "0.6.0", "0.6.1", "0.5.2", "0.7.0", "0.7.1", "0.8.0", "0.8.1", "0.8.2", "0.8.3", "0.8.4", "0.9.0", "0.9.1", "0.9.2", "0.10.0", "0.10.1", "0.11.0", "0.11.1", "0.11.2", "0.11.3", "0.12.0", "0.13.0", "0.13.1", "0.13.2", "0.11.4", "0.13.3", "0.14.0", "0.14.1", "0.14.2", "0.15.0", "0.15.1", "0.15.2", "0.15.3", "0.15.4", "0.15.5", "0.15.6", "0.15.7", "0.15.8", "0.15.9", "0.16.0", "1.0.0", "1.0.1", "1.0.2", "1.0.3", "1.1.0", "1.2.0", "1.3.0", "1.4.0", "1.5.0", "1.6.0", "1.6.1", "1.6.2", "1.7.0", "1.7.1", "1.7.2", "1.7.3", "1.8.0", "1.8.1", "1.8.2", "1.8.3", "1.9.0", "1.9.1", "1.9.2", "1.9.3", "1.9.4", "1.9.5", "1.9.6", "1.9.7", "1.10.0", "1.11.0", "1.11.1", "1.12.0", "1.13.0", "1.14.0", "1.15.0", "1.16.0", "1.16.1", "1.17.0", "1.18.0", "1.19.0", "1.19.1", "1.19.2", "1.19.3", "1.19.4", "1.19.5", "1.20.0", "2.0.0-preview", "0.5.1-a", "0.5.1-b", "0.5.1-b2", "0.5.1-c", "2.0.0", "2.1.0", "2.1.1", "2.1.2", "2.2.0", "2.3.0", "2.4.0", "2.5.0", "2.6.0", "3.0.0", "3.0.1", "3.0.2", "3.1.0", "4.0.0", "4.0.1", "4.0.2", "4.0.3", "4.1.0", "4.1.1", "4.1.2", "4.1.3", "4.1.4", "5.0.0", "5.1.0", "6.0.0", "6.0.1", "6.0.2", "6.1.0", "6.2.0", "6.2.1", "6.2.2", "6.3.0", "6.4.0", "6.5.0", "6.5.1", "6.6.0", "6.7.0", "6.7.1", "6.8.0", "6.8.1", "6.9.0", "6.10.0", "6.11.0", "6.11.1", "7.0.0", "7.0.1", "7.1.0", "7.1.1", "7.2.0", "7.3.0", "7.4.0", "7.5.0", "7.5.1", "7.5.2", "8.0.0", "7.5.3", "8.1.0", "8.2.0", "8.3.0", "8.3.1", "8.4.0", "8.5.0", "8.5.1", "8.5.2", "8.5.3", "8.6.0", "8.6.1", "8.8.0", "8.8.1", "9.0.0", "9.0.1", "9.0.2", "9.0.3", "9.0.4", "9.1.0", "9.2.0", "9.3.0", "9.3.1", "10.0.0", "10.0.1", "10.1.0", "10.2.1", "10.4.0", "10.4.1", "10.5.0", "11.0.0", "11.0.1", "11.0.2", "11.0.3", "11.0.4", "11.0.5", "11.1.0", "11.1.1", "11.1.2", "11.1.3", "11.1.4", "12.0.0", "12.0.1", "12.1.0", "9.5.1", "13.0.0", "13.1.0", "13.2.0", "13.2.1", "13.2.2", "13.3.0", "13.4.0", "13.4.1", "13.4.2", "13.5.0", "14.0.0", "13.5.3", "14.1.0", "14.2.0", "15.0.1", "15.0.2", "15.0.3", "15.1.0", "15.1.1", "15.2.0", "16.0.0", "16.0.1", "16.0.2", "16.0.3", "16.1.0", "16.1.1", "16.2.0", "16.3.0", "16.3.1", "16.4.0", "16.4.1", "16.4.2", "16.4.3", "16.5.0", "16.5.1", "16.5.2", "16.6.0", "16.6.1", "16.6.2", "17.0.0-rc1", "17.0.0-rc2", "17.0.0-rc3", "17.0.0-rc4", "17.0.0-rc6", "17.0.0-rc8", "17.0.0-rc9", "17.0.0-rc10", "17.0.0", "17.0.1", "17.0.2", "17.1.0", "17.1.1", "17.2.0", "17.2.1", "16.6.3", "17.2.2", "17.2.3", "17.3.0", "17.3.1", "17.4.0", "17.5.0", "17.5.1", "17.5.2", "17.5.3", "17.5.4", "17.5.5", "17.6.0", "17.6.1", "17.6.2", "17.6.3", "16.6.4", "17.6.4", "16.6.5", "17.7.0", "16.7.0", "17.8.0", "17.8.1", "18.0.0", "17.8.2", "17.8.3", "18.0.1", "17.8.4", "18.1.0", "17.8.5", "16.8.4"]

Secure versions: []

Unsafe Merging of CORS Configuration Conflict in hapi

Published date: 2020-09-01T15:20:00Z

CVE: CVE-2015-9243

Links:

Versions of hapi prior to 11.1.4 are affected by a vulnerability that causes route-level CORS configuration to override connection-level or server-level CORS defaults. This may result in a situation where CORS permissions are less restrictive than intended.

Recommendation

Update hapi to version 11.1.4 or later.

Secure versions: []

Route level CORS config overrides connection level defaults

Published date: 2015-12-28

CVSS Score: 6.5

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Coordinating vendor: ^Lift Security

Links:

https://github.com/hapijs/hapi/issues/2980

When server level, connection level or route level CORS configurations are combined and when a higher level config included security restrictions (like origin), a higher level config that included security restrictions (like origin) would have those restrictions overridden by less restrictive defaults (e.g. origin defaults to all origins *).

Secure versions: []

Recommendation: You should install hapi v11.1.4 or newer if you combine server level, connection level, or route level CORS configuration.

295 Other Versions

Version	License	Security	Released
11.1.3	BSD-3-Clause	3	2015-12-23 - 21:52	over 8 years
11.1.2	BSD-3-Clause	5	2015-11-21 - 22:30	over 8 years
11.1.0	BSD-3-Clause	5	2015-11-05 - 08:51	over 8 years
11.1.1	BSD-3-Clause	5	2015-11-14 - 17:39	over 8 years
11.0.5	BSD-3-Clause	5	2015-11-03 - 20:53	over 8 years
11.0.4	BSD-3-Clause	5	2015-11-03 - 08:14	over 8 years
11.0.2	BSD-3-Clause	5	2015-10-21 - 15:42	over 8 years
11.0.3	BSD-3-Clause	5	2015-10-30 - 06:09	over 8 years
11.0.0	BSD-3-Clause	5	2015-10-16 - 19:30	over 8 years
11.0.1	BSD-3-Clause	5	2015-10-20 - 04:47	over 8 years
10.5.0	BSD-3-Clause	7	2015-10-15 - 16:00	over 8 years
9.2.0	BSD-3-Clause	7	2015-09-05 - 15:53	over 8 years
9.0.2	BSD-3-Clause	7	2015-08-15 - 23:50	over 8 years
10.1.0	BSD-3-Clause	7	2015-09-25 - 15:35	over 8 years
10.4.0	BSD-3-Clause	7	2015-10-05 - 22:41	over 8 years
10.0.1	BSD-3-Clause	7	2015-09-23 - 01:23	over 8 years
9.3.0	BSD-3-Clause	7	2015-09-06 - 17:34	over 8 years
9.3.1	BSD-3-Clause	7	2015-09-08 - 19:16	over 8 years
9.0.0	BSD-3-Clause	7	2015-08-12 - 06:39	almost 9 years
9.1.0	BSD-3-Clause	7	2015-09-04 - 05:34	over 8 years
9.0.3	BSD-3-Clause	7	2015-08-19 - 15:53	over 8 years
9.0.4	BSD-3-Clause	7	2015-09-02 - 07:51	over 8 years
8.8.0	BSD-3-Clause	7	2015-07-03 - 22:44	almost 9 years
9.0.1	BSD-3-Clause	7	2015-08-12 - 14:55	almost 9 years
10.4.1	BSD-3-Clause	7	2015-10-08 - 16:05	over 8 years
8.8.1	BSD-3-Clause	7	2015-07-29 - 19:31	almost 9 years
6.11.1	BSD	7	2014-10-06 - 19:18	over 9 years
6.9.0	BSD	7	2014-09-22 - 20:40	over 9 years
6.10.0	BSD	7	2014-10-02 - 22:15	over 9 years
7.1.1	BSD	7	2014-10-24 - 06:20	over 9 years
6.11.0	BSD	7	2014-10-04 - 06:52	over 9 years
7.1.0	BSD	7	2014-10-22 - 19:45	over 9 years
6.7.1	BSD	7	2014-08-28 - 00:28	over 9 years
6.6.0	BSD	7	2014-08-24 - 07:02	over 9 years
6.7.0	BSD	7	2014-08-27 - 23:37	over 9 years
6.5.0	BSD	7	2014-08-13 - 18:48	almost 10 years
6.5.1	BSD	7	2014-08-13 - 20:11	almost 10 years
7.0.1	BSD	7	2014-10-22 - 19:08	over 9 years
6.3.0	BSD	7	2014-08-03 - 20:33	almost 10 years
6.2.1	BSD	7	2014-07-23 - 14:07	almost 10 years
10.0.0	BSD-3-Clause	7	2015-09-11 - 20:47	over 8 years
6.8.0	BSD	7	2014-09-09 - 00:54	over 9 years
6.1.0	BSD	7	2014-07-16 - 14:26	almost 10 years
6.2.0	BSD	7	2014-07-17 - 12:34	almost 10 years
6.4.0	BSD	7	2014-08-05 - 01:10	almost 10 years
8.3.0	BSD	7	2015-03-11 - 00:33	about 9 years
7.0.0	BSD	7	2014-10-10 - 00:26	over 9 years
7.5.0	BSD	7	2014-11-07 - 22:12	over 9 years
7.4.0	BSD	7	2014-11-07 - 05:03	over 9 years
7.5.1	BSD	7	2014-11-10 - 20:09	over 9 years
7.3.0	BSD	7	2014-11-05 - 03:04	over 9 years
7.2.0	BSD	7	2014-10-30 - 23:35	over 9 years
7.5.2	BSD	7	2014-11-10 - 20:23	over 9 years
7.5.3	BSD	7	2014-12-16 - 02:58	over 9 years
8.1.0	BSD	7	2015-01-06 - 22:31	over 9 years
8.5.2	BSD-3-Clause	7	2015-05-27 - 05:52	almost 9 years
8.2.0	BSD	7	2015-02-09 - 21:04	over 9 years
8.4.0	BSD	7	2015-03-13 - 18:51	about 9 years
8.5.0	BSD-3-Clause	7	2015-05-21 - 19:22	almost 9 years
8.3.1	BSD	7	2015-03-11 - 06:36	about 9 years
8.5.1	BSD-3-Clause	7	2015-05-22 - 21:54	almost 9 years
8.6.1	BSD-3-Clause	7	2015-06-05 - 12:18	almost 9 years
8.0.0	BSD	7	2014-12-09 - 23:09	over 9 years
9.5.1	BSD-3-Clause	7	2016-01-20 - 18:27	over 8 years
8.5.3	BSD-3-Clause	7	2015-05-29 - 05:55	almost 9 years
6.8.1	BSD	7	2014-09-09 - 21:15	over 9 years
6.2.2	BSD	7	2014-08-01 - 20:12	almost 10 years
10.2.1	BSD-3-Clause	7	2015-10-03 - 19:33	over 8 years
8.6.0	BSD-3-Clause	7	2015-05-29 - 20:12	almost 9 years
1.6.0	BSD	9	2013-05-29 - 17:54	almost 11 years
1.6.2	BSD	9	2013-05-31 - 04:45	almost 11 years
1.5.0	BSD	9	2013-05-27 - 23:00	almost 11 years
1.7.1	BSD	9	2013-06-04 - 16:39	almost 11 years
1.7.2	BSD	9	2013-06-04 - 21:25	almost 11 years
1.7.3	BSD	9	2013-06-07 - 22:18	almost 11 years
1.6.1	BSD	9	2013-05-30 - 19:51	almost 11 years
1.8.1	BSD	9	2013-06-17 - 20:50	almost 11 years
1.8.2	BSD	9	2013-06-26 - 14:35	almost 11 years
1.8.3	BSD	9	2013-07-15 - 20:41	almost 11 years
1.9.0	BSD	9	2013-07-23 - 00:34	almost 11 years
1.9.1	BSD	9	2013-08-15 - 18:38	over 10 years
1.7.0	BSD	9	2013-06-04 - 06:57	almost 11 years
1.9.3	BSD	9	2013-08-15 - 20:16	over 10 years
1.9.4	BSD	9	2013-08-15 - 20:56	over 10 years
1.9.5	BSD	9	2013-08-28 - 23:51	over 10 years
1.9.6	BSD	9	2013-08-29 - 20:25	over 10 years
1.9.7	BSD	9	2013-09-04 - 18:06	over 10 years
1.10.0	BSD	9	2013-09-09 - 22:18	over 10 years
1.11.0	BSD	9	2013-09-16 - 21:10	over 10 years
1.11.1	BSD	9	2013-09-18 - 00:40	over 10 years
1.12.0	BSD	9	2013-10-01 - 19:05	over 10 years
1.8.0	BSD	9	2013-06-13 - 18:12	almost 11 years
1.14.0	BSD	9	2013-10-04 - 20:32	over 10 years
1.15.0	BSD	9	2013-10-30 - 19:52	over 10 years
1.16.0	BSD	9	2013-11-07 - 00:51	over 10 years
1.16.1	BSD	9	2013-11-09 - 08:55	over 10 years
1.17.0	BSD	9	2013-11-15 - 17:45	over 10 years
1.18.0	BSD	9	2013-11-18 - 19:53	over 10 years
1.19.0	BSD	9	2013-11-19 - 07:46	over 10 years
1.19.1	BSD	9	2013-11-19 - 21:29	over 10 years