NodeJS/hapi/2.5.0
HTTP Server framework
Repo Link:
https://www.npmjs.com/package/hapi
License:
BSD
9 Security Vulnerabilities
Published date: 2020-08-31T22:45:35Z
CVE: CVE-2014-4671
This description taken from the pull request provided by Patrick Kettner.
Versions 6.1.0 and earlier of hapi are vulnerable to a rosetta-flash attack, which can be used by attackers to send data across domains and break the browser same-origin-policy.
Recommendation
Update hapi to version 6.1.1 or later.
Alternatively, a solution previously implemented by Google, Facebook, and Github is to prepend callbacks with an empty inline comment. This will cause the flash parser to break on invalid inputs and prevent the issue, and how the issue has been resolved internally in hapi.
Affected versions:
["0.0.1", "0.0.2", "0.0.3", "0.0.4", "0.0.5", "0.0.6", "0.1.0", "0.1.1", "0.1.2", "0.1.3", "0.2.0", "0.2.1", "0.3.0", "0.4.0", "0.4.1", "0.4.2", "0.4.3", "0.4.4", "0.5.0", "0.5.1", "0.6.0", "0.6.1", "0.5.2", "0.7.0", "0.7.1", "0.8.0", "0.8.1", "0.8.2", "0.8.3", "0.8.4", "0.9.0", "0.9.1", "0.9.2", "0.10.0", "0.10.1", "0.11.0", "0.11.1", "0.11.2", "0.11.3", "0.12.0", "0.13.0", "0.13.1", "0.13.2", "0.11.4", "0.13.3", "0.14.0", "0.14.1", "0.14.2", "0.15.0", "0.15.1", "0.15.2", "0.15.3", "0.15.4", "0.15.5", "0.15.6", "0.15.7", "0.15.8", "0.15.9", "0.16.0", "1.0.0", "1.0.1", "1.0.2", "1.0.3", "1.1.0", "1.2.0", "1.3.0", "1.4.0", "1.5.0", "1.6.0", "1.6.1", "1.6.2", "1.7.0", "1.7.1", "1.7.2", "1.7.3", "1.8.0", "1.8.1", "1.8.2", "1.8.3", "1.9.0", "1.9.1", "1.9.2", "1.9.3", "1.9.4", "1.9.5", "1.9.6", "1.9.7", "1.10.0", "1.11.0", "1.11.1", "1.12.0", "1.13.0", "1.14.0", "1.15.0", "1.16.0", "1.16.1", "1.17.0", "1.18.0", "1.19.0", "1.19.1", "1.19.2", "1.19.3", "1.19.4", "1.19.5", "1.20.0", "2.0.0-preview", "0.5.1-a", "0.5.1-b", "0.5.1-b2", "0.5.1-c", "2.0.0", "2.1.0", "2.1.1", "2.1.2", "2.2.0", "2.3.0", "2.4.0", "2.5.0", "2.6.0", "3.0.0", "3.0.1", "3.0.2", "3.1.0", "4.0.0", "4.0.1", "4.0.2", "4.0.3", "4.1.0", "4.1.1", "4.1.2", "4.1.3", "4.1.4", "5.0.0", "5.1.0", "6.0.0", "6.0.1", "6.0.2"]
Secure versions:
[]
Published date: 2020-09-03T15:48:00Z
All Versions of hapi
are vulnerable to Denial of Service. The CORS request handler has a vulnerability which will cause the function to throw a system error if the header contains some invalid values. If no unhandled exception handler is available, the application will exist, allowing an attacker to shut down services.
Recommendation
This package is deprecated and is now maintained as @hapi/hapi
. Please update your dependencies to use @hapi/hapi
.
Affected versions:
["0.0.1", "0.0.2", "0.0.3", "0.0.4", "0.0.5", "0.0.6", "0.1.0", "0.1.1", "0.1.2", "0.1.3", "0.2.0", "0.2.1", "0.3.0", "0.4.0", "0.4.1", "0.4.2", "0.4.3", "0.4.4", "0.5.0", "0.5.1", "0.6.0", "0.6.1", "0.5.2", "0.7.0", "0.7.1", "0.8.0", "0.8.1", "0.8.2", "0.8.3", "0.8.4", "0.9.0", "0.9.1", "0.9.2", "0.10.0", "0.10.1", "0.11.0", "0.11.1", "0.11.2", "0.11.3", "0.12.0", "0.13.0", "0.13.1", "0.13.2", "0.11.4", "0.13.3", "0.14.0", "0.14.1", "0.14.2", "0.15.0", "0.15.1", "0.15.2", "0.15.3", "0.15.4", "0.15.5", "0.15.6", "0.15.7", "0.15.8", "0.15.9", "0.16.0", "1.0.0", "1.0.1", "1.0.2", "1.0.3", "1.1.0", "1.2.0", "1.3.0", "1.4.0", "1.5.0", "1.6.0", "1.6.1", "1.6.2", "1.7.0", "1.7.1", "1.7.2", "1.7.3", "1.8.0", "1.8.1", "1.8.2", "1.8.3", "1.9.0", "1.9.1", "1.9.2", "1.9.3", "1.9.4", "1.9.5", "1.9.6", "1.9.7", "1.10.0", "1.11.0", "1.11.1", "1.12.0", "1.13.0", "1.14.0", "1.15.0", "1.16.0", "1.16.1", "1.17.0", "1.18.0", "1.19.0", "1.19.1", "1.19.2", "1.19.3", "1.19.4", "1.19.5", "1.20.0", "2.0.0-preview", "0.5.1-a", "0.5.1-b", "0.5.1-b2", "0.5.1-c", "2.0.0", "2.1.0", "2.1.1", "2.1.2", "2.2.0", "2.3.0", "2.4.0", "2.5.0", "2.6.0", "3.0.0", "3.0.1", "3.0.2", "3.1.0", "4.0.0", "4.0.1", "4.0.2", "4.0.3", "4.1.0", "4.1.1", "4.1.2", "4.1.3", "4.1.4", "5.0.0", "5.1.0", "6.0.0", "6.0.1", "6.0.2", "6.1.0", "6.2.0", "6.2.1", "6.2.2", "6.3.0", "6.4.0", "6.5.0", "6.5.1", "6.6.0", "6.7.0", "6.7.1", "6.8.0", "6.8.1", "6.9.0", "6.10.0", "6.11.0", "6.11.1", "7.0.0", "7.0.1", "7.1.0", "7.1.1", "7.2.0", "7.3.0", "7.4.0", "7.5.0", "7.5.1", "7.5.2", "8.0.0", "7.5.3", "8.1.0", "8.2.0", "8.3.0", "8.3.1", "8.4.0", "8.5.0", "8.5.1", "8.5.2", "8.5.3", "8.6.0", "8.6.1", "8.8.0", "8.8.1", "9.0.0", "9.0.1", "9.0.2", "9.0.3", "9.0.4", "9.1.0", "9.2.0", "9.3.0", "9.3.1", "10.0.0", "10.0.1", "10.1.0", "10.2.1", "10.4.0", "10.4.1", "10.5.0", "11.0.0", "11.0.1", "11.0.2", "11.0.3", "11.0.4", "11.0.5", "11.1.0", "11.1.1", "11.1.2", "11.1.3", "11.1.4", "12.0.0", "12.0.1", "12.1.0", "9.5.1", "13.0.0", "13.1.0", "13.2.0", "13.2.1", "13.2.2", "13.3.0", "13.4.0", "13.4.1", "13.4.2", "13.5.0", "14.0.0", "13.5.3", "14.1.0", "14.2.0", "15.0.1", "15.0.2", "15.0.3", "15.1.0", "15.1.1", "15.2.0", "16.0.0", "16.0.1", "16.0.2", "16.0.3", "16.1.0", "16.1.1", "16.2.0", "16.3.0", "16.3.1", "16.4.0", "16.4.1", "16.4.2", "16.4.3", "16.5.0", "16.5.1", "16.5.2", "16.6.0", "16.6.1", "16.6.2", "17.0.0-rc1", "17.0.0-rc2", "17.0.0-rc3", "17.0.0-rc4", "17.0.0-rc6", "17.0.0-rc8", "17.0.0-rc9", "17.0.0-rc10", "17.0.0", "17.0.1", "17.0.2", "17.1.0", "17.1.1", "17.2.0", "17.2.1", "16.6.3", "17.2.2", "17.2.3", "17.3.0", "17.3.1", "17.4.0", "17.5.0", "17.5.1", "17.5.2", "17.5.3", "17.5.4", "17.5.5", "17.6.0", "17.6.1", "17.6.2", "17.6.3", "16.6.4", "17.6.4", "16.6.5", "17.7.0", "16.7.0", "17.8.0", "17.8.1", "18.0.0", "17.8.2", "17.8.3", "18.0.1", "17.8.4", "18.1.0", "17.8.5", "16.8.4"]
Secure versions:
[]
Published date: 2020-09-01T15:20:00Z
CVE: CVE-2015-9243
Versions of hapi
prior to 11.1.4 are affected by a vulnerability that causes route-level CORS configuration to override connection-level or server-level CORS defaults. This may result in a situation where CORS permissions are less restrictive than intended.
Recommendation
Update hapi to version 11.1.4 or later.
Affected versions:
["0.0.1", "0.0.2", "0.0.3", "0.0.4", "0.0.5", "0.0.6", "0.1.0", "0.1.1", "0.1.2", "0.1.3", "0.2.0", "0.2.1", "0.3.0", "0.4.0", "0.4.1", "0.4.2", "0.4.3", "0.4.4", "0.5.0", "0.5.1", "0.6.0", "0.6.1", "0.5.2", "0.7.0", "0.7.1", "0.8.0", "0.8.1", "0.8.2", "0.8.3", "0.8.4", "0.9.0", "0.9.1", "0.9.2", "0.10.0", "0.10.1", "0.11.0", "0.11.1", "0.11.2", "0.11.3", "0.12.0", "0.13.0", "0.13.1", "0.13.2", "0.11.4", "0.13.3", "0.14.0", "0.14.1", "0.14.2", "0.15.0", "0.15.1", "0.15.2", "0.15.3", "0.15.4", "0.15.5", "0.15.6", "0.15.7", "0.15.8", "0.15.9", "0.16.0", "1.0.0", "1.0.1", "1.0.2", "1.0.3", "1.1.0", "1.2.0", "1.3.0", "1.4.0", "1.5.0", "1.6.0", "1.6.1", "1.6.2", "1.7.0", "1.7.1", "1.7.2", "1.7.3", "1.8.0", "1.8.1", "1.8.2", "1.8.3", "1.9.0", "1.9.1", "1.9.2", "1.9.3", "1.9.4", "1.9.5", "1.9.6", "1.9.7", "1.10.0", "1.11.0", "1.11.1", "1.12.0", "1.13.0", "1.14.0", "1.15.0", "1.16.0", "1.16.1", "1.17.0", "1.18.0", "1.19.0", "1.19.1", "1.19.2", "1.19.3", "1.19.4", "1.19.5", "1.20.0", "2.0.0-preview", "0.5.1-a", "0.5.1-b", "0.5.1-b2", "0.5.1-c", "2.0.0", "2.1.0", "2.1.1", "2.1.2", "2.2.0", "2.3.0", "2.4.0", "2.5.0", "2.6.0", "3.0.0", "3.0.1", "3.0.2", "3.1.0", "4.0.0", "4.0.1", "4.0.2", "4.0.3", "4.1.0", "4.1.1", "4.1.2", "4.1.3", "4.1.4", "5.0.0", "5.1.0", "6.0.0", "6.0.1", "6.0.2", "6.1.0", "6.2.0", "6.2.1", "6.2.2", "6.3.0", "6.4.0", "6.5.0", "6.5.1", "6.6.0", "6.7.0", "6.7.1", "6.8.0", "6.8.1", "6.9.0", "6.10.0", "6.11.0", "6.11.1", "7.0.0", "7.0.1", "7.1.0", "7.1.1", "7.2.0", "7.3.0", "7.4.0", "7.5.0", "7.5.1", "7.5.2", "8.0.0", "7.5.3", "8.1.0", "8.2.0", "8.3.0", "8.3.1", "8.4.0", "8.5.0", "8.5.1", "8.5.2", "8.5.3", "8.6.0", "8.6.1", "8.8.0", "8.8.1", "9.0.0", "9.0.1", "9.0.2", "9.0.3", "9.0.4", "9.1.0", "9.2.0", "9.3.0", "9.3.1", "10.0.0", "10.0.1", "10.1.0", "10.2.1", "10.4.0", "10.4.1", "10.5.0", "11.0.0", "11.0.1", "11.0.2", "11.0.3", "11.0.4", "11.0.5", "11.1.0", "11.1.1", "11.1.2", "11.1.3", "9.5.1"]
Secure versions:
[]
Published date: 2018-06-07T19:43:15Z
CVE: CVE-2015-9241
Versions of hapi
prior to 11.1.3 are affected by a denial of service vulnerability.
The vulnerability is triggered when certain input is passed into the If-Modified-Since or Last-Modified headers.
This causes an 'illegal access' exception to be raised, and instead of sending a HTTP 500 error back to the sender, hapi will continue to hold the socket open until timed out (default node timeout is 2 minutes).
Recommendation
Update to v11.1.3 or later
Affected versions:
["0.0.1", "0.0.2", "0.0.3", "0.0.4", "0.0.5", "0.0.6", "0.1.0", "0.1.1", "0.1.2", "0.1.3", "0.2.0", "0.2.1", "0.3.0", "0.4.0", "0.4.1", "0.4.2", "0.4.3", "0.4.4", "0.5.0", "0.5.1", "0.6.0", "0.6.1", "0.5.2", "0.7.0", "0.7.1", "0.8.0", "0.8.1", "0.8.2", "0.8.3", "0.8.4", "0.9.0", "0.9.1", "0.9.2", "0.10.0", "0.10.1", "0.11.0", "0.11.1", "0.11.2", "0.11.3", "0.12.0", "0.13.0", "0.13.1", "0.13.2", "0.11.4", "0.13.3", "0.14.0", "0.14.1", "0.14.2", "0.15.0", "0.15.1", "0.15.2", "0.15.3", "0.15.4", "0.15.5", "0.15.6", "0.15.7", "0.15.8", "0.15.9", "0.16.0", "1.0.0", "1.0.1", "1.0.2", "1.0.3", "1.1.0", "1.2.0", "1.3.0", "1.4.0", "1.5.0", "1.6.0", "1.6.1", "1.6.2", "1.7.0", "1.7.1", "1.7.2", "1.7.3", "1.8.0", "1.8.1", "1.8.2", "1.8.3", "1.9.0", "1.9.1", "1.9.2", "1.9.3", "1.9.4", "1.9.5", "1.9.6", "1.9.7", "1.10.0", "1.11.0", "1.11.1", "1.12.0", "1.13.0", "1.14.0", "1.15.0", "1.16.0", "1.16.1", "1.17.0", "1.18.0", "1.19.0", "1.19.1", "1.19.2", "1.19.3", "1.19.4", "1.19.5", "1.20.0", "2.0.0-preview", "0.5.1-a", "0.5.1-b", "0.5.1-b2", "0.5.1-c", "2.0.0", "2.1.0", "2.1.1", "2.1.2", "2.2.0", "2.3.0", "2.4.0", "2.5.0", "2.6.0", "3.0.0", "3.0.1", "3.0.2", "3.1.0", "4.0.0", "4.0.1", "4.0.2", "4.0.3", "4.1.0", "4.1.1", "4.1.2", "4.1.3", "4.1.4", "5.0.0", "5.1.0", "6.0.0", "6.0.1", "6.0.2", "6.1.0", "6.2.0", "6.2.1", "6.2.2", "6.3.0", "6.4.0", "6.5.0", "6.5.1", "6.6.0", "6.7.0", "6.7.1", "6.8.0", "6.8.1", "6.9.0", "6.10.0", "6.11.0", "6.11.1", "7.0.0", "7.0.1", "7.1.0", "7.1.1", "7.2.0", "7.3.0", "7.4.0", "7.5.0", "7.5.1", "7.5.2", "8.0.0", "7.5.3", "8.1.0", "8.2.0", "8.3.0", "8.3.1", "8.4.0", "8.5.0", "8.5.1", "8.5.2", "8.5.3", "8.6.0", "8.6.1", "8.8.0", "8.8.1", "9.0.0", "9.0.1", "9.0.2", "9.0.3", "9.0.4", "9.1.0", "9.2.0", "9.3.0", "9.3.1", "10.0.0", "10.0.1", "10.1.0", "10.2.1", "10.4.0", "10.4.1", "10.5.0", "11.0.0", "11.0.1", "11.0.2", "11.0.3", "11.0.4", "11.0.5", "11.1.0", "11.1.1", "11.1.2", "9.5.1"]
Secure versions:
[]
Published date: 2018-06-07T19:43:25Z
CVE: CVE-2015-9236
Versions of hapi
prior to 11.0.0 implement CORS incorrectly, allowing for configurations that at best return inconsistent headers, and at worst allow cross-origin activities that are expected to be forbidden.
If the connection has CORS enabled but one route has it off, and the route is not GET, the OPTIONS prefetch request will return the default CORS headers and then the actual request will go through and return no CORS headers. This defeats the purpose of turning CORS on the route.
Recommendation
Update to version 11.0.0 or later.
Affected versions:
["0.0.1", "0.0.2", "0.0.3", "0.0.4", "0.0.5", "0.0.6", "0.1.0", "0.1.1", "0.1.2", "0.1.3", "0.2.0", "0.2.1", "0.3.0", "0.4.0", "0.4.1", "0.4.2", "0.4.3", "0.4.4", "0.5.0", "0.5.1", "0.6.0", "0.6.1", "0.5.2", "0.7.0", "0.7.1", "0.8.0", "0.8.1", "0.8.2", "0.8.3", "0.8.4", "0.9.0", "0.9.1", "0.9.2", "0.10.0", "0.10.1", "0.11.0", "0.11.1", "0.11.2", "0.11.3", "0.12.0", "0.13.0", "0.13.1", "0.13.2", "0.11.4", "0.13.3", "0.14.0", "0.14.1", "0.14.2", "0.15.0", "0.15.1", "0.15.2", "0.15.3", "0.15.4", "0.15.5", "0.15.6", "0.15.7", "0.15.8", "0.15.9", "0.16.0", "1.0.0", "1.0.1", "1.0.2", "1.0.3", "1.1.0", "1.2.0", "1.3.0", "1.4.0", "1.5.0", "1.6.0", "1.6.1", "1.6.2", "1.7.0", "1.7.1", "1.7.2", "1.7.3", "1.8.0", "1.8.1", "1.8.2", "1.8.3", "1.9.0", "1.9.1", "1.9.2", "1.9.3", "1.9.4", "1.9.5", "1.9.6", "1.9.7", "1.10.0", "1.11.0", "1.11.1", "1.12.0", "1.13.0", "1.14.0", "1.15.0", "1.16.0", "1.16.1", "1.17.0", "1.18.0", "1.19.0", "1.19.1", "1.19.2", "1.19.3", "1.19.4", "1.19.5", "1.20.0", "2.0.0-preview", "0.5.1-a", "0.5.1-b", "0.5.1-b2", "0.5.1-c", "2.0.0", "2.1.0", "2.1.1", "2.1.2", "2.2.0", "2.3.0", "2.4.0", "2.5.0", "2.6.0", "3.0.0", "3.0.1", "3.0.2", "3.1.0", "4.0.0", "4.0.1", "4.0.2", "4.0.3", "4.1.0", "4.1.1", "4.1.2", "4.1.3", "4.1.4", "5.0.0", "5.1.0", "6.0.0", "6.0.1", "6.0.2", "6.1.0", "6.2.0", "6.2.1", "6.2.2", "6.3.0", "6.4.0", "6.5.0", "6.5.1", "6.6.0", "6.7.0", "6.7.1", "6.8.0", "6.8.1", "6.9.0", "6.10.0", "6.11.0", "6.11.1", "7.0.0", "7.0.1", "7.1.0", "7.1.1", "7.2.0", "7.3.0", "7.4.0", "7.5.0", "7.5.1", "7.5.2", "8.0.0", "7.5.3", "8.1.0", "8.2.0", "8.3.0", "8.3.1", "8.4.0", "8.5.0", "8.5.1", "8.5.2", "8.5.3", "8.6.0", "8.6.1", "8.8.0", "8.8.1", "9.0.0", "9.0.1", "9.0.2", "9.0.3", "9.0.4", "9.1.0", "9.2.0", "9.3.0", "9.3.1", "10.0.0", "10.0.1", "10.1.0", "10.2.1", "10.4.0", "10.4.1", "10.5.0", "9.5.1"]
Secure versions:
[]
Published date: 2014-07-08
CVEs: ["CVE-2014-4671A"]
CVSS Score: 7.4
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Coordinating vendor: ^Lift Security
This description taken from the pull request provided by Patrick Kettner.
Background from the vulnerabilty finder
tl:dr - someone created a alphanum only swf converter, which means that they can in theory use it as a callback at a JSONP endpoint, and as a result, send data across domains.
Prepending callbacks with an empty inline comment breaks the flash parser, and prevents the issue. This is a fairly common solution currently being implemented by Google, Facebook, and Github.
Affected versions:
["0.0.1", "0.0.2", "0.0.3", "0.0.4", "0.0.5", "0.0.6", "0.1.0", "0.1.1", "0.1.2", "0.1.3", "0.2.0", "0.2.1", "0.3.0", "0.4.0", "0.4.1", "0.4.2", "0.4.3", "0.4.4", "0.5.0", "0.5.1", "0.6.0", "0.6.1", "0.5.2", "0.7.0", "0.7.1", "0.8.0", "0.8.1", "0.8.2", "0.8.3", "0.8.4", "0.9.0", "0.9.1", "0.9.2", "0.10.0", "0.10.1", "0.11.0", "0.11.1", "0.11.2", "0.11.3", "0.12.0", "0.13.0", "0.13.1", "0.13.2", "0.11.4", "0.13.3", "0.14.0", "0.14.1", "0.14.2", "0.15.0", "0.15.1", "0.15.2", "0.15.3", "0.15.4", "0.15.5", "0.15.6", "0.15.7", "0.15.8", "0.15.9", "0.16.0", "1.0.0", "1.0.1", "1.0.2", "1.0.3", "1.1.0", "1.2.0", "1.3.0", "1.4.0", "1.5.0", "1.6.0", "1.6.1", "1.6.2", "1.7.0", "1.7.1", "1.7.2", "1.7.3", "1.8.0", "1.8.1", "1.8.2", "1.8.3", "1.9.0", "1.9.1", "1.9.2", "1.9.3", "1.9.4", "1.9.5", "1.9.6", "1.9.7", "1.10.0", "1.11.0", "1.11.1", "1.12.0", "1.13.0", "1.14.0", "1.15.0", "1.16.0", "1.16.1", "1.17.0", "1.18.0", "1.19.0", "1.19.1", "1.19.2", "1.19.3", "1.19.4", "1.19.5", "1.20.0", "2.0.0-preview", "0.5.1-a", "0.5.1-b", "0.5.1-b2", "0.5.1-c", "2.0.0", "2.1.0", "2.1.1", "2.1.2", "2.2.0", "2.3.0", "2.4.0", "2.5.0", "2.6.0", "3.0.0", "3.0.1", "3.0.2", "3.1.0", "4.0.0", "4.0.1", "4.0.2", "4.0.3", "4.1.0", "4.1.1", "4.1.2", "4.1.3", "4.1.4", "5.0.0", "5.1.0", "6.0.0", "6.0.1", "6.0.2"]
Secure versions:
[]
Recommendation:
- Update to the latest version of hapi.js
Published date: 2015-10-20
CVSS Score: 5.3
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Coordinating vendor: ^Lift Security
Hapi versions less than 11.0.0 implement CORS incorrectly and allowed for configurations that at best returned inconsistent headers and at worst allowed cross-origin activities that were expected to be forbidden. [1]
'If the connection has CORS enabled but one route has it off, and the route is not GET, the OPTIONS prefetch request will return the default CORS headers and then the actual request will go through and return no CORS headers. This defeats the purpose of turning CORS on the route.' [2]
Affected versions:
["0.0.1", "0.0.2", "0.0.3", "0.0.4", "0.0.5", "0.0.6", "0.1.0", "0.1.1", "0.1.2", "0.1.3", "0.2.0", "0.2.1", "0.3.0", "0.4.0", "0.4.1", "0.4.2", "0.4.3", "0.4.4", "0.5.0", "0.5.1", "0.6.0", "0.6.1", "0.5.2", "0.7.0", "0.7.1", "0.8.0", "0.8.1", "0.8.2", "0.8.3", "0.8.4", "0.9.0", "0.9.1", "0.9.2", "0.10.0", "0.10.1", "0.11.0", "0.11.1", "0.11.2", "0.11.3", "0.12.0", "0.13.0", "0.13.1", "0.13.2", "0.11.4", "0.13.3", "0.14.0", "0.14.1", "0.14.2", "0.15.0", "0.15.1", "0.15.2", "0.15.3", "0.15.4", "0.15.5", "0.15.6", "0.15.7", "0.15.8", "0.15.9", "0.16.0", "1.0.0", "1.0.1", "1.0.2", "1.0.3", "1.1.0", "1.2.0", "1.3.0", "1.4.0", "1.5.0", "1.6.0", "1.6.1", "1.6.2", "1.7.0", "1.7.1", "1.7.2", "1.7.3", "1.8.0", "1.8.1", "1.8.2", "1.8.3", "1.9.0", "1.9.1", "1.9.2", "1.9.3", "1.9.4", "1.9.5", "1.9.6", "1.9.7", "1.10.0", "1.11.0", "1.11.1", "1.12.0", "1.13.0", "1.14.0", "1.15.0", "1.16.0", "1.16.1", "1.17.0", "1.18.0", "1.19.0", "1.19.1", "1.19.2", "1.19.3", "1.19.4", "1.19.5", "1.20.0", "2.0.0-preview", "0.5.1-a", "0.5.1-b", "0.5.1-b2", "0.5.1-c", "2.0.0", "2.1.0", "2.1.1", "2.1.2", "2.2.0", "2.3.0", "2.4.0", "2.5.0", "2.6.0", "3.0.0", "3.0.1", "3.0.2", "3.1.0", "4.0.0", "4.0.1", "4.0.2", "4.0.3", "4.1.0", "4.1.1", "4.1.2", "4.1.3", "4.1.4", "5.0.0", "5.1.0", "6.0.0", "6.0.1", "6.0.2", "6.1.0", "6.2.0", "6.2.1", "6.2.2", "6.3.0", "6.4.0", "6.5.0", "6.5.1", "6.6.0", "6.7.0", "6.7.1", "6.8.0", "6.8.1", "6.9.0", "6.10.0", "6.11.0", "6.11.1", "7.0.0", "7.0.1", "7.1.0", "7.1.1", "7.2.0", "7.3.0", "7.4.0", "7.5.0", "7.5.1", "7.5.2", "8.0.0", "7.5.3", "8.1.0", "8.2.0", "8.3.0", "8.3.1", "8.4.0", "8.5.0", "8.5.1", "8.5.2", "8.5.3", "8.6.0", "8.6.1", "8.8.0", "8.8.1", "9.0.0", "9.0.1", "9.0.2", "9.0.3", "9.0.4", "9.1.0", "9.2.0", "9.3.0", "9.3.1", "10.0.0", "10.0.1", "10.1.0", "10.2.1", "10.4.0", "10.4.1", "10.5.0", "9.5.1"]
Secure versions:
[]
Recommendation:
Updated to hapi version 11.0.0 or greater
Published date: 2015-12-23
CVSS Score: 7.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Coordinating vendor: ^Lift Security
Certain input passed into the If-Modified-Since or Last-Modified headers will cause an 'illegal access' exception to be raised. Instead of sending a HTTP 500 error back to the sender, hapi will continue to hold the socket open until timed out (default node timeout is 2 minutes).
Special thanks to James Halliday for bringing this exception pattern to our attention via the ecstatic advisory which lead to identifying this.
Affected versions:
["0.0.1", "0.0.2", "0.0.3", "0.0.4", "0.0.5", "0.0.6", "0.1.0", "0.1.1", "0.1.2", "0.1.3", "0.2.0", "0.2.1", "0.3.0", "0.4.0", "0.4.1", "0.4.2", "0.4.3", "0.4.4", "0.5.0", "0.5.1", "0.6.0", "0.6.1", "0.5.2", "0.7.0", "0.7.1", "0.8.0", "0.8.1", "0.8.2", "0.8.3", "0.8.4", "0.9.0", "0.9.1", "0.9.2", "0.10.0", "0.10.1", "0.11.0", "0.11.1", "0.11.2", "0.11.3", "0.12.0", "0.13.0", "0.13.1", "0.13.2", "0.11.4", "0.13.3", "0.14.0", "0.14.1", "0.14.2", "0.15.0", "0.15.1", "0.15.2", "0.15.3", "0.15.4", "0.15.5", "0.15.6", "0.15.7", "0.15.8", "0.15.9", "0.16.0", "1.0.0", "1.0.1", "1.0.2", "1.0.3", "1.1.0", "1.2.0", "1.3.0", "1.4.0", "1.5.0", "1.6.0", "1.6.1", "1.6.2", "1.7.0", "1.7.1", "1.7.2", "1.7.3", "1.8.0", "1.8.1", "1.8.2", "1.8.3", "1.9.0", "1.9.1", "1.9.2", "1.9.3", "1.9.4", "1.9.5", "1.9.6", "1.9.7", "1.10.0", "1.11.0", "1.11.1", "1.12.0", "1.13.0", "1.14.0", "1.15.0", "1.16.0", "1.16.1", "1.17.0", "1.18.0", "1.19.0", "1.19.1", "1.19.2", "1.19.3", "1.19.4", "1.19.5", "1.20.0", "2.0.0-preview", "0.5.1-a", "0.5.1-b", "0.5.1-b2", "0.5.1-c", "2.0.0", "2.1.0", "2.1.1", "2.1.2", "2.2.0", "2.3.0", "2.4.0", "2.5.0", "2.6.0", "3.0.0", "3.0.1", "3.0.2", "3.1.0", "4.0.0", "4.0.1", "4.0.2", "4.0.3", "4.1.0", "4.1.1", "4.1.2", "4.1.3", "4.1.4", "5.0.0", "5.1.0", "6.0.0", "6.0.1", "6.0.2", "6.1.0", "6.2.0", "6.2.1", "6.2.2", "6.3.0", "6.4.0", "6.5.0", "6.5.1", "6.6.0", "6.7.0", "6.7.1", "6.8.0", "6.8.1", "6.9.0", "6.10.0", "6.11.0", "6.11.1", "7.0.0", "7.0.1", "7.1.0", "7.1.1", "7.2.0", "7.3.0", "7.4.0", "7.5.0", "7.5.1", "7.5.2", "8.0.0", "7.5.3", "8.1.0", "8.2.0", "8.3.0", "8.3.1", "8.4.0", "8.5.0", "8.5.1", "8.5.2", "8.5.3", "8.6.0", "8.6.1", "8.8.0", "8.8.1", "9.0.0", "9.0.1", "9.0.2", "9.0.3", "9.0.4", "9.1.0", "9.2.0", "9.3.0", "9.3.1", "10.0.0", "10.0.1", "10.1.0", "10.2.1", "10.4.0", "10.4.1", "10.5.0", "11.0.0", "11.0.1", "11.0.2", "11.0.3", "11.0.4", "11.0.5", "11.1.0", "11.1.1", "11.1.2", "9.5.1"]
Secure versions:
[]
Recommendation:
Upgrade to hapi v11.1.3 or greater.
Published date: 2015-12-28
CVSS Score: 6.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Coordinating vendor: ^Lift Security
When server level, connection level or route level CORS configurations are combined and when a higher level config included security restrictions (like origin), a higher level config that included security restrictions (like origin) would have those restrictions overridden by less restrictive defaults (e.g. origin defaults to all origins *
).
Affected versions:
["0.0.1", "0.0.2", "0.0.3", "0.0.4", "0.0.5", "0.0.6", "0.1.0", "0.1.1", "0.1.2", "0.1.3", "0.2.0", "0.2.1", "0.3.0", "0.4.0", "0.4.1", "0.4.2", "0.4.3", "0.4.4", "0.5.0", "0.5.1", "0.6.0", "0.6.1", "0.5.2", "0.7.0", "0.7.1", "0.8.0", "0.8.1", "0.8.2", "0.8.3", "0.8.4", "0.9.0", "0.9.1", "0.9.2", "0.10.0", "0.10.1", "0.11.0", "0.11.1", "0.11.2", "0.11.3", "0.12.0", "0.13.0", "0.13.1", "0.13.2", "0.11.4", "0.13.3", "0.14.0", "0.14.1", "0.14.2", "0.15.0", "0.15.1", "0.15.2", "0.15.3", "0.15.4", "0.15.5", "0.15.6", "0.15.7", "0.15.8", "0.15.9", "0.16.0", "1.0.0", "1.0.1", "1.0.2", "1.0.3", "1.1.0", "1.2.0", "1.3.0", "1.4.0", "1.5.0", "1.6.0", "1.6.1", "1.6.2", "1.7.0", "1.7.1", "1.7.2", "1.7.3", "1.8.0", "1.8.1", "1.8.2", "1.8.3", "1.9.0", "1.9.1", "1.9.2", "1.9.3", "1.9.4", "1.9.5", "1.9.6", "1.9.7", "1.10.0", "1.11.0", "1.11.1", "1.12.0", "1.13.0", "1.14.0", "1.15.0", "1.16.0", "1.16.1", "1.17.0", "1.18.0", "1.19.0", "1.19.1", "1.19.2", "1.19.3", "1.19.4", "1.19.5", "1.20.0", "2.0.0-preview", "0.5.1-a", "0.5.1-b", "0.5.1-b2", "0.5.1-c", "2.0.0", "2.1.0", "2.1.1", "2.1.2", "2.2.0", "2.3.0", "2.4.0", "2.5.0", "2.6.0", "3.0.0", "3.0.1", "3.0.2", "3.1.0", "4.0.0", "4.0.1", "4.0.2", "4.0.3", "4.1.0", "4.1.1", "4.1.2", "4.1.3", "4.1.4", "5.0.0", "5.1.0", "6.0.0", "6.0.1", "6.0.2", "6.1.0", "6.2.0", "6.2.1", "6.2.2", "6.3.0", "6.4.0", "6.5.0", "6.5.1", "6.6.0", "6.7.0", "6.7.1", "6.8.0", "6.8.1", "6.9.0", "6.10.0", "6.11.0", "6.11.1", "7.0.0", "7.0.1", "7.1.0", "7.1.1", "7.2.0", "7.3.0", "7.4.0", "7.5.0", "7.5.1", "7.5.2", "8.0.0", "7.5.3", "8.1.0", "8.2.0", "8.3.0", "8.3.1", "8.4.0", "8.5.0", "8.5.1", "8.5.2", "8.5.3", "8.6.0", "8.6.1", "8.8.0", "8.8.1", "9.0.0", "9.0.1", "9.0.2", "9.0.3", "9.0.4", "9.1.0", "9.2.0", "9.3.0", "9.3.1", "10.0.0", "10.0.1", "10.1.0", "10.2.1", "10.4.0", "10.4.1", "10.5.0", "11.0.0", "11.0.1", "11.0.2", "11.0.3", "11.0.4", "11.0.5", "11.1.0", "11.1.1", "11.1.2", "11.1.3", "9.5.1"]
Secure versions:
[]
Recommendation:
You should install hapi v11.1.4 or newer if you combine server level, connection level, or route level CORS configuration.
295 Other Versions