CORS Token Disclosure

Affecting crumb package, versions <3.0.0

Do your applications use this vulnerable package? Test your applications

Overview

When CORS is enabled on a hapi route handler, it is possible to set a crumb token for a different domain. An attacker would need to have an application consumer visit a site they control, request a route supporting CORS, and then retrieve the token. With this token, they could possibly make requests to non CORS routes as this user.

A configuration and scenario where this would occur is unlikely, as most configurations will set CORS globally (where crumb is not used), or not at all.

Source: Node Security Project

Remediation

Update crumb to version 3.0.0 or greater.

References

CVSS Score

5.4
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    None
  • Availability
    Low
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
Credit
Marcus Stong
CVE
CVE-2014-7193
CWE
CWE-284
Snyk ID
npm:crumb:20140801
Disclosed
01 Aug, 2014
Published
01 Aug, 2014