Potentially loose security restrictions

Affecting hapi package, versions <11.1.4

Do your applications use this vulnerable package? Test your applications

Overview

Security restrictions (e.g. origin) get overridden by less restrictive defaults (i.e. all origins) in cases when server level, connection level or route level CORS configurations are combined.

References

CVSS Score

6.5
low severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    None
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Credit
Eran Hammer
CVE
CVE-2015-9243
CWE
CWE-358
Snyk ID
npm:hapi:20151228
Disclosed
28 Dec, 2015
Published
05 Jan, 2016