Rosetta-flash jsonp vulnerability
Affecting hapi package, versions < 6.1.0
Do your applications use this vulnerable package?
Test your applications
Overview
This description taken from the pull request provided by Patrick Kettner.
tl:dr - someone created a alphanum only swf converter, which means that they can in theory use it as a callback at a JSONP endpoint, and as a result, send data across domains.
Prepending callbacks with an empty inline comment breaks the flash parser, and prevents the issue. This is a fairly common solution currently being implemented by Google, Facebook, and GitHub.
Source: Node Security Project
Details
Background from the vulnerabilty finder
Remediation
Upgrade to the latest version of hapi.js
References
Snyk patch available for versions:
- < 6.1.0 >=2.3.0
View patch
View patch
CVSS Score
7.4
medium severity
-
Attack VectorNetwork
-
Attack ComplexityHigh
-
Privileges RequiredNone
-
User InteractionNone
-
ScopeUnchanged
-
ConfidentialityHigh
-
IntegrityHigh
-
AvailabilityNone
- Credit
- Michele Spagnuolo
- CVE
- CVE-2014-4671
- CWE
- CWE-942
- Snyk ID
- npm:hapi:20140708-1
- Disclosed
- 08 Jul, 2014
- Published
- 08 Jul, 2014