Improper input validation

Affecting call package, versions >=2.0.1 <3.0.2

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

call is the primary HTTP router of the hapi framework.

The vulnerability arise from undefined values inside a path (last segment being an exception) making their way into components that do not care for values being undefined (eg. the database layer).

For example, the request URI /delete/company// may incorrectly match a route looking for /delete/company/{company}/. By itself, the bad match is not a vulnerability. However, depending on the remaining logic in the application, such a bad match may result in skipping a protection mechanisms. In the above example, if the route translates to a DB delete command, it might delete all the companies from the db.

Remediation

Upgrade to version 3.0.2 or higher.

References

https://github.com/hapijs/hapi/issues/3228 https://github.com/hapijs/call/commit/9570eee5358b4383715cc6a13cb95971678efd30

Snyk patch available for versions:

CVSS Score

5.3
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    None
  • Integrity
    Low
  • Availability
    None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Credit
Nicolas Morel
CVE
CVE-2016-10543
CWE
CWE-20
Snyk ID
npm:call:20160705
Disclosed
05 Jul, 2016
Published
05 Jul, 2016