NodeJS/hapi/7.4.0


HTTP Server framework

https://www.npmjs.com/package/hapi
BSD

7 Security Vulnerabilities

Denial of Service in hapi

Published date: 2020-09-03T15:48:00Z
Links:

All Versions of hapi are vulnerable to Denial of Service. The CORS request handler has a vulnerability which will cause the function to throw a system error if the header contains some invalid values. If no unhandled exception handler is available, the application will exist, allowing an attacker to shut down services.

Recommendation

This package is deprecated and is now maintained as @hapi/hapi. Please update your dependencies to use @hapi/hapi.

Affected versions: ["0.0.1", "0.0.2", "0.0.3", "0.0.4", "0.0.5", "0.0.6", "0.1.0", "0.1.1", "0.1.2", "0.1.3", "0.2.0", "0.2.1", "0.3.0", "0.4.0", "0.4.1", "0.4.2", "0.4.3", "0.4.4", "0.5.0", "0.5.1", "0.6.0", "0.6.1", "0.5.2", "0.7.0", "0.7.1", "0.8.0", "0.8.1", "0.8.2", "0.8.3", "0.8.4", "0.9.0", "0.9.1", "0.9.2", "0.10.0", "0.10.1", "0.11.0", "0.11.1", "0.11.2", "0.11.3", "0.12.0", "0.13.0", "0.13.1", "0.13.2", "0.11.4", "0.13.3", "0.14.0", "0.14.1", "0.14.2", "0.15.0", "0.15.1", "0.15.2", "0.15.3", "0.15.4", "0.15.5", "0.15.6", "0.15.7", "0.15.8", "0.15.9", "0.16.0", "1.0.0", "1.0.1", "1.0.2", "1.0.3", "1.1.0", "1.2.0", "1.3.0", "1.4.0", "1.5.0", "1.6.0", "1.6.1", "1.6.2", "1.7.0", "1.7.1", "1.7.2", "1.7.3", "1.8.0", "1.8.1", "1.8.2", "1.8.3", "1.9.0", "1.9.1", "1.9.2", "1.9.3", "1.9.4", "1.9.5", "1.9.6", "1.9.7", "1.10.0", "1.11.0", "1.11.1", "1.12.0", "1.13.0", "1.14.0", "1.15.0", "1.16.0", "1.16.1", "1.17.0", "1.18.0", "1.19.0", "1.19.1", "1.19.2", "1.19.3", "1.19.4", "1.19.5", "1.20.0", "2.0.0-preview", "0.5.1-a", "0.5.1-b", "0.5.1-b2", "0.5.1-c", "2.0.0", "2.1.0", "2.1.1", "2.1.2", "2.2.0", "2.3.0", "2.4.0", "2.5.0", "2.6.0", "3.0.0", "3.0.1", "3.0.2", "3.1.0", "4.0.0", "4.0.1", "4.0.2", "4.0.3", "4.1.0", "4.1.1", "4.1.2", "4.1.3", "4.1.4", "5.0.0", "5.1.0", "6.0.0", "6.0.1", "6.0.2", "6.1.0", "6.2.0", "6.2.1", "6.2.2", "6.3.0", "6.4.0", "6.5.0", "6.5.1", "6.6.0", "6.7.0", "6.7.1", "6.8.0", "6.8.1", "6.9.0", "6.10.0", "6.11.0", "6.11.1", "7.0.0", "7.0.1", "7.1.0", "7.1.1", "7.2.0", "7.3.0", "7.4.0", "7.5.0", "7.5.1", "7.5.2", "8.0.0", "7.5.3", "8.1.0", "8.2.0", "8.3.0", "8.3.1", "8.4.0", "8.5.0", "8.5.1", "8.5.2", "8.5.3", "8.6.0", "8.6.1", "8.8.0", "8.8.1", "9.0.0", "9.0.1", "9.0.2", "9.0.3", "9.0.4", "9.1.0", "9.2.0", "9.3.0", "9.3.1", "10.0.0", "10.0.1", "10.1.0", "10.2.1", "10.4.0", "10.4.1", "10.5.0", "11.0.0", "11.0.1", "11.0.2", "11.0.3", "11.0.4", "11.0.5", "11.1.0", "11.1.1", "11.1.2", "11.1.3", "11.1.4", "12.0.0", "12.0.1", "12.1.0", "9.5.1", "13.0.0", "13.1.0", "13.2.0", "13.2.1", "13.2.2", "13.3.0", "13.4.0", "13.4.1", "13.4.2", "13.5.0", "14.0.0", "13.5.3", "14.1.0", "14.2.0", "15.0.1", "15.0.2", "15.0.3", "15.1.0", "15.1.1", "15.2.0", "16.0.0", "16.0.1", "16.0.2", "16.0.3", "16.1.0", "16.1.1", "16.2.0", "16.3.0", "16.3.1", "16.4.0", "16.4.1", "16.4.2", "16.4.3", "16.5.0", "16.5.1", "16.5.2", "16.6.0", "16.6.1", "16.6.2", "17.0.0-rc1", "17.0.0-rc2", "17.0.0-rc3", "17.0.0-rc4", "17.0.0-rc6", "17.0.0-rc8", "17.0.0-rc9", "17.0.0-rc10", "17.0.0", "17.0.1", "17.0.2", "17.1.0", "17.1.1", "17.2.0", "17.2.1", "16.6.3", "17.2.2", "17.2.3", "17.3.0", "17.3.1", "17.4.0", "17.5.0", "17.5.1", "17.5.2", "17.5.3", "17.5.4", "17.5.5", "17.6.0", "17.6.1", "17.6.2", "17.6.3", "16.6.4", "17.6.4", "16.6.5", "17.7.0", "16.7.0", "17.8.0", "17.8.1", "18.0.0", "17.8.2", "17.8.3", "18.0.1", "17.8.4", "18.1.0", "17.8.5", "16.8.4"]
Secure versions: []

Unsafe Merging of CORS Configuration Conflict in hapi

Published date: 2020-09-01T15:20:00Z
CVE: CVE-2015-9243
Links:

Versions of hapi prior to 11.1.4 are affected by a vulnerability that causes route-level CORS configuration to override connection-level or server-level CORS defaults. This may result in a situation where CORS permissions are less restrictive than intended.

Recommendation

Update hapi to version 11.1.4 or later.

Affected versions: ["0.0.1", "0.0.2", "0.0.3", "0.0.4", "0.0.5", "0.0.6", "0.1.0", "0.1.1", "0.1.2", "0.1.3", "0.2.0", "0.2.1", "0.3.0", "0.4.0", "0.4.1", "0.4.2", "0.4.3", "0.4.4", "0.5.0", "0.5.1", "0.6.0", "0.6.1", "0.5.2", "0.7.0", "0.7.1", "0.8.0", "0.8.1", "0.8.2", "0.8.3", "0.8.4", "0.9.0", "0.9.1", "0.9.2", "0.10.0", "0.10.1", "0.11.0", "0.11.1", "0.11.2", "0.11.3", "0.12.0", "0.13.0", "0.13.1", "0.13.2", "0.11.4", "0.13.3", "0.14.0", "0.14.1", "0.14.2", "0.15.0", "0.15.1", "0.15.2", "0.15.3", "0.15.4", "0.15.5", "0.15.6", "0.15.7", "0.15.8", "0.15.9", "0.16.0", "1.0.0", "1.0.1", "1.0.2", "1.0.3", "1.1.0", "1.2.0", "1.3.0", "1.4.0", "1.5.0", "1.6.0", "1.6.1", "1.6.2", "1.7.0", "1.7.1", "1.7.2", "1.7.3", "1.8.0", "1.8.1", "1.8.2", "1.8.3", "1.9.0", "1.9.1", "1.9.2", "1.9.3", "1.9.4", "1.9.5", "1.9.6", "1.9.7", "1.10.0", "1.11.0", "1.11.1", "1.12.0", "1.13.0", "1.14.0", "1.15.0", "1.16.0", "1.16.1", "1.17.0", "1.18.0", "1.19.0", "1.19.1", "1.19.2", "1.19.3", "1.19.4", "1.19.5", "1.20.0", "2.0.0-preview", "0.5.1-a", "0.5.1-b", "0.5.1-b2", "0.5.1-c", "2.0.0", "2.1.0", "2.1.1", "2.1.2", "2.2.0", "2.3.0", "2.4.0", "2.5.0", "2.6.0", "3.0.0", "3.0.1", "3.0.2", "3.1.0", "4.0.0", "4.0.1", "4.0.2", "4.0.3", "4.1.0", "4.1.1", "4.1.2", "4.1.3", "4.1.4", "5.0.0", "5.1.0", "6.0.0", "6.0.1", "6.0.2", "6.1.0", "6.2.0", "6.2.1", "6.2.2", "6.3.0", "6.4.0", "6.5.0", "6.5.1", "6.6.0", "6.7.0", "6.7.1", "6.8.0", "6.8.1", "6.9.0", "6.10.0", "6.11.0", "6.11.1", "7.0.0", "7.0.1", "7.1.0", "7.1.1", "7.2.0", "7.3.0", "7.4.0", "7.5.0", "7.5.1", "7.5.2", "8.0.0", "7.5.3", "8.1.0", "8.2.0", "8.3.0", "8.3.1", "8.4.0", "8.5.0", "8.5.1", "8.5.2", "8.5.3", "8.6.0", "8.6.1", "8.8.0", "8.8.1", "9.0.0", "9.0.1", "9.0.2", "9.0.3", "9.0.4", "9.1.0", "9.2.0", "9.3.0", "9.3.1", "10.0.0", "10.0.1", "10.1.0", "10.2.1", "10.4.0", "10.4.1", "10.5.0", "11.0.0", "11.0.1", "11.0.2", "11.0.3", "11.0.4", "11.0.5", "11.1.0", "11.1.1", "11.1.2", "11.1.3", "9.5.1"]
Secure versions: []

Denial of Service in hapi

Published date: 2018-06-07T19:43:15Z
CVE: CVE-2015-9241
Links:

Versions of hapi prior to 11.1.3 are affected by a denial of service vulnerability.

The vulnerability is triggered when certain input is passed into the If-Modified-Since or Last-Modified headers.

This causes an 'illegal access' exception to be raised, and instead of sending a HTTP 500 error back to the sender, hapi will continue to hold the socket open until timed out (default node timeout is 2 minutes).

Recommendation

Update to v11.1.3 or later

Affected versions: ["0.0.1", "0.0.2", "0.0.3", "0.0.4", "0.0.5", "0.0.6", "0.1.0", "0.1.1", "0.1.2", "0.1.3", "0.2.0", "0.2.1", "0.3.0", "0.4.0", "0.4.1", "0.4.2", "0.4.3", "0.4.4", "0.5.0", "0.5.1", "0.6.0", "0.6.1", "0.5.2", "0.7.0", "0.7.1", "0.8.0", "0.8.1", "0.8.2", "0.8.3", "0.8.4", "0.9.0", "0.9.1", "0.9.2", "0.10.0", "0.10.1", "0.11.0", "0.11.1", "0.11.2", "0.11.3", "0.12.0", "0.13.0", "0.13.1", "0.13.2", "0.11.4", "0.13.3", "0.14.0", "0.14.1", "0.14.2", "0.15.0", "0.15.1", "0.15.2", "0.15.3", "0.15.4", "0.15.5", "0.15.6", "0.15.7", "0.15.8", "0.15.9", "0.16.0", "1.0.0", "1.0.1", "1.0.2", "1.0.3", "1.1.0", "1.2.0", "1.3.0", "1.4.0", "1.5.0", "1.6.0", "1.6.1", "1.6.2", "1.7.0", "1.7.1", "1.7.2", "1.7.3", "1.8.0", "1.8.1", "1.8.2", "1.8.3", "1.9.0", "1.9.1", "1.9.2", "1.9.3", "1.9.4", "1.9.5", "1.9.6", "1.9.7", "1.10.0", "1.11.0", "1.11.1", "1.12.0", "1.13.0", "1.14.0", "1.15.0", "1.16.0", "1.16.1", "1.17.0", "1.18.0", "1.19.0", "1.19.1", "1.19.2", "1.19.3", "1.19.4", "1.19.5", "1.20.0", "2.0.0-preview", "0.5.1-a", "0.5.1-b", "0.5.1-b2", "0.5.1-c", "2.0.0", "2.1.0", "2.1.1", "2.1.2", "2.2.0", "2.3.0", "2.4.0", "2.5.0", "2.6.0", "3.0.0", "3.0.1", "3.0.2", "3.1.0", "4.0.0", "4.0.1", "4.0.2", "4.0.3", "4.1.0", "4.1.1", "4.1.2", "4.1.3", "4.1.4", "5.0.0", "5.1.0", "6.0.0", "6.0.1", "6.0.2", "6.1.0", "6.2.0", "6.2.1", "6.2.2", "6.3.0", "6.4.0", "6.5.0", "6.5.1", "6.6.0", "6.7.0", "6.7.1", "6.8.0", "6.8.1", "6.9.0", "6.10.0", "6.11.0", "6.11.1", "7.0.0", "7.0.1", "7.1.0", "7.1.1", "7.2.0", "7.3.0", "7.4.0", "7.5.0", "7.5.1", "7.5.2", "8.0.0", "7.5.3", "8.1.0", "8.2.0", "8.3.0", "8.3.1", "8.4.0", "8.5.0", "8.5.1", "8.5.2", "8.5.3", "8.6.0", "8.6.1", "8.8.0", "8.8.1", "9.0.0", "9.0.1", "9.0.2", "9.0.3", "9.0.4", "9.1.0", "9.2.0", "9.3.0", "9.3.1", "10.0.0", "10.0.1", "10.1.0", "10.2.1", "10.4.0", "10.4.1", "10.5.0", "11.0.0", "11.0.1", "11.0.2", "11.0.3", "11.0.4", "11.0.5", "11.1.0", "11.1.1", "11.1.2", "9.5.1"]
Secure versions: []

Incorrect handling of CORS preflight request headers in hapi

Published date: 2018-06-07T19:43:25Z
CVE: CVE-2015-9236
Links:

Versions of hapi prior to 11.0.0 implement CORS incorrectly, allowing for configurations that at best return inconsistent headers, and at worst allow cross-origin activities that are expected to be forbidden.

If the connection has CORS enabled but one route has it off, and the route is not GET, the OPTIONS prefetch request will return the default CORS headers and then the actual request will go through and return no CORS headers. This defeats the purpose of turning CORS on the route.

Recommendation

Update to version 11.0.0 or later.

Affected versions: ["0.0.1", "0.0.2", "0.0.3", "0.0.4", "0.0.5", "0.0.6", "0.1.0", "0.1.1", "0.1.2", "0.1.3", "0.2.0", "0.2.1", "0.3.0", "0.4.0", "0.4.1", "0.4.2", "0.4.3", "0.4.4", "0.5.0", "0.5.1", "0.6.0", "0.6.1", "0.5.2", "0.7.0", "0.7.1", "0.8.0", "0.8.1", "0.8.2", "0.8.3", "0.8.4", "0.9.0", "0.9.1", "0.9.2", "0.10.0", "0.10.1", "0.11.0", "0.11.1", "0.11.2", "0.11.3", "0.12.0", "0.13.0", "0.13.1", "0.13.2", "0.11.4", "0.13.3", "0.14.0", "0.14.1", "0.14.2", "0.15.0", "0.15.1", "0.15.2", "0.15.3", "0.15.4", "0.15.5", "0.15.6", "0.15.7", "0.15.8", "0.15.9", "0.16.0", "1.0.0", "1.0.1", "1.0.2", "1.0.3", "1.1.0", "1.2.0", "1.3.0", "1.4.0", "1.5.0", "1.6.0", "1.6.1", "1.6.2", "1.7.0", "1.7.1", "1.7.2", "1.7.3", "1.8.0", "1.8.1", "1.8.2", "1.8.3", "1.9.0", "1.9.1", "1.9.2", "1.9.3", "1.9.4", "1.9.5", "1.9.6", "1.9.7", "1.10.0", "1.11.0", "1.11.1", "1.12.0", "1.13.0", "1.14.0", "1.15.0", "1.16.0", "1.16.1", "1.17.0", "1.18.0", "1.19.0", "1.19.1", "1.19.2", "1.19.3", "1.19.4", "1.19.5", "1.20.0", "2.0.0-preview", "0.5.1-a", "0.5.1-b", "0.5.1-b2", "0.5.1-c", "2.0.0", "2.1.0", "2.1.1", "2.1.2", "2.2.0", "2.3.0", "2.4.0", "2.5.0", "2.6.0", "3.0.0", "3.0.1", "3.0.2", "3.1.0", "4.0.0", "4.0.1", "4.0.2", "4.0.3", "4.1.0", "4.1.1", "4.1.2", "4.1.3", "4.1.4", "5.0.0", "5.1.0", "6.0.0", "6.0.1", "6.0.2", "6.1.0", "6.2.0", "6.2.1", "6.2.2", "6.3.0", "6.4.0", "6.5.0", "6.5.1", "6.6.0", "6.7.0", "6.7.1", "6.8.0", "6.8.1", "6.9.0", "6.10.0", "6.11.0", "6.11.1", "7.0.0", "7.0.1", "7.1.0", "7.1.1", "7.2.0", "7.3.0", "7.4.0", "7.5.0", "7.5.1", "7.5.2", "8.0.0", "7.5.3", "8.1.0", "8.2.0", "8.3.0", "8.3.1", "8.4.0", "8.5.0", "8.5.1", "8.5.2", "8.5.3", "8.6.0", "8.6.1", "8.8.0", "8.8.1", "9.0.0", "9.0.1", "9.0.2", "9.0.3", "9.0.4", "9.1.0", "9.2.0", "9.3.0", "9.3.1", "10.0.0", "10.0.1", "10.1.0", "10.2.1", "10.4.0", "10.4.1", "10.5.0", "9.5.1"]
Secure versions: []

Incorrect handling of CORS preflight request headers

Published date: 2015-10-20
CVSS Score: 5.3
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Coordinating vendor: ^Lift Security
Links:

Hapi versions less than 11.0.0 implement CORS incorrectly and allowed for configurations that at best returned inconsistent headers and at worst allowed cross-origin activities that were expected to be forbidden. [1]

'If the connection has CORS enabled but one route has it off, and the route is not GET, the OPTIONS prefetch request will return the default CORS headers and then the actual request will go through and return no CORS headers. This defeats the purpose of turning CORS on the route.' [2]

Affected versions: ["0.0.1", "0.0.2", "0.0.3", "0.0.4", "0.0.5", "0.0.6", "0.1.0", "0.1.1", "0.1.2", "0.1.3", "0.2.0", "0.2.1", "0.3.0", "0.4.0", "0.4.1", "0.4.2", "0.4.3", "0.4.4", "0.5.0", "0.5.1", "0.6.0", "0.6.1", "0.5.2", "0.7.0", "0.7.1", "0.8.0", "0.8.1", "0.8.2", "0.8.3", "0.8.4", "0.9.0", "0.9.1", "0.9.2", "0.10.0", "0.10.1", "0.11.0", "0.11.1", "0.11.2", "0.11.3", "0.12.0", "0.13.0", "0.13.1", "0.13.2", "0.11.4", "0.13.3", "0.14.0", "0.14.1", "0.14.2", "0.15.0", "0.15.1", "0.15.2", "0.15.3", "0.15.4", "0.15.5", "0.15.6", "0.15.7", "0.15.8", "0.15.9", "0.16.0", "1.0.0", "1.0.1", "1.0.2", "1.0.3", "1.1.0", "1.2.0", "1.3.0", "1.4.0", "1.5.0", "1.6.0", "1.6.1", "1.6.2", "1.7.0", "1.7.1", "1.7.2", "1.7.3", "1.8.0", "1.8.1", "1.8.2", "1.8.3", "1.9.0", "1.9.1", "1.9.2", "1.9.3", "1.9.4", "1.9.5", "1.9.6", "1.9.7", "1.10.0", "1.11.0", "1.11.1", "1.12.0", "1.13.0", "1.14.0", "1.15.0", "1.16.0", "1.16.1", "1.17.0", "1.18.0", "1.19.0", "1.19.1", "1.19.2", "1.19.3", "1.19.4", "1.19.5", "1.20.0", "2.0.0-preview", "0.5.1-a", "0.5.1-b", "0.5.1-b2", "0.5.1-c", "2.0.0", "2.1.0", "2.1.1", "2.1.2", "2.2.0", "2.3.0", "2.4.0", "2.5.0", "2.6.0", "3.0.0", "3.0.1", "3.0.2", "3.1.0", "4.0.0", "4.0.1", "4.0.2", "4.0.3", "4.1.0", "4.1.1", "4.1.2", "4.1.3", "4.1.4", "5.0.0", "5.1.0", "6.0.0", "6.0.1", "6.0.2", "6.1.0", "6.2.0", "6.2.1", "6.2.2", "6.3.0", "6.4.0", "6.5.0", "6.5.1", "6.6.0", "6.7.0", "6.7.1", "6.8.0", "6.8.1", "6.9.0", "6.10.0", "6.11.0", "6.11.1", "7.0.0", "7.0.1", "7.1.0", "7.1.1", "7.2.0", "7.3.0", "7.4.0", "7.5.0", "7.5.1", "7.5.2", "8.0.0", "7.5.3", "8.1.0", "8.2.0", "8.3.0", "8.3.1", "8.4.0", "8.5.0", "8.5.1", "8.5.2", "8.5.3", "8.6.0", "8.6.1", "8.8.0", "8.8.1", "9.0.0", "9.0.1", "9.0.2", "9.0.3", "9.0.4", "9.1.0", "9.2.0", "9.3.0", "9.3.1", "10.0.0", "10.0.1", "10.1.0", "10.2.1", "10.4.0", "10.4.1", "10.5.0", "9.5.1"]
Secure versions: []
Recommendation: Updated to hapi version 11.0.0 or greater

Denial of service - Potential socket exhaustion

Published date: 2015-12-23
CVSS Score: 7.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Coordinating vendor: ^Lift Security
Links:

Certain input passed into the If-Modified-Since or Last-Modified headers will cause an 'illegal access' exception to be raised. Instead of sending a HTTP 500 error back to the sender, hapi will continue to hold the socket open until timed out (default node timeout is 2 minutes).

Special thanks to James Halliday for bringing this exception pattern to our attention via the ecstatic advisory which lead to identifying this.

Affected versions: ["0.0.1", "0.0.2", "0.0.3", "0.0.4", "0.0.5", "0.0.6", "0.1.0", "0.1.1", "0.1.2", "0.1.3", "0.2.0", "0.2.1", "0.3.0", "0.4.0", "0.4.1", "0.4.2", "0.4.3", "0.4.4", "0.5.0", "0.5.1", "0.6.0", "0.6.1", "0.5.2", "0.7.0", "0.7.1", "0.8.0", "0.8.1", "0.8.2", "0.8.3", "0.8.4", "0.9.0", "0.9.1", "0.9.2", "0.10.0", "0.10.1", "0.11.0", "0.11.1", "0.11.2", "0.11.3", "0.12.0", "0.13.0", "0.13.1", "0.13.2", "0.11.4", "0.13.3", "0.14.0", "0.14.1", "0.14.2", "0.15.0", "0.15.1", "0.15.2", "0.15.3", "0.15.4", "0.15.5", "0.15.6", "0.15.7", "0.15.8", "0.15.9", "0.16.0", "1.0.0", "1.0.1", "1.0.2", "1.0.3", "1.1.0", "1.2.0", "1.3.0", "1.4.0", "1.5.0", "1.6.0", "1.6.1", "1.6.2", "1.7.0", "1.7.1", "1.7.2", "1.7.3", "1.8.0", "1.8.1", "1.8.2", "1.8.3", "1.9.0", "1.9.1", "1.9.2", "1.9.3", "1.9.4", "1.9.5", "1.9.6", "1.9.7", "1.10.0", "1.11.0", "1.11.1", "1.12.0", "1.13.0", "1.14.0", "1.15.0", "1.16.0", "1.16.1", "1.17.0", "1.18.0", "1.19.0", "1.19.1", "1.19.2", "1.19.3", "1.19.4", "1.19.5", "1.20.0", "2.0.0-preview", "0.5.1-a", "0.5.1-b", "0.5.1-b2", "0.5.1-c", "2.0.0", "2.1.0", "2.1.1", "2.1.2", "2.2.0", "2.3.0", "2.4.0", "2.5.0", "2.6.0", "3.0.0", "3.0.1", "3.0.2", "3.1.0", "4.0.0", "4.0.1", "4.0.2", "4.0.3", "4.1.0", "4.1.1", "4.1.2", "4.1.3", "4.1.4", "5.0.0", "5.1.0", "6.0.0", "6.0.1", "6.0.2", "6.1.0", "6.2.0", "6.2.1", "6.2.2", "6.3.0", "6.4.0", "6.5.0", "6.5.1", "6.6.0", "6.7.0", "6.7.1", "6.8.0", "6.8.1", "6.9.0", "6.10.0", "6.11.0", "6.11.1", "7.0.0", "7.0.1", "7.1.0", "7.1.1", "7.2.0", "7.3.0", "7.4.0", "7.5.0", "7.5.1", "7.5.2", "8.0.0", "7.5.3", "8.1.0", "8.2.0", "8.3.0", "8.3.1", "8.4.0", "8.5.0", "8.5.1", "8.5.2", "8.5.3", "8.6.0", "8.6.1", "8.8.0", "8.8.1", "9.0.0", "9.0.1", "9.0.2", "9.0.3", "9.0.4", "9.1.0", "9.2.0", "9.3.0", "9.3.1", "10.0.0", "10.0.1", "10.1.0", "10.2.1", "10.4.0", "10.4.1", "10.5.0", "11.0.0", "11.0.1", "11.0.2", "11.0.3", "11.0.4", "11.0.5", "11.1.0", "11.1.1", "11.1.2", "9.5.1"]
Secure versions: []
Recommendation: Upgrade to hapi v11.1.3 or greater.

Route level CORS config overrides connection level defaults

Published date: 2015-12-28
CVSS Score: 6.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Coordinating vendor: ^Lift Security
Links:

When server level, connection level or route level CORS configurations are combined and when a higher level config included security restrictions (like origin), a higher level config that included security restrictions (like origin) would have those restrictions overridden by less restrictive defaults (e.g. origin defaults to all origins *).

Affected versions: ["0.0.1", "0.0.2", "0.0.3", "0.0.4", "0.0.5", "0.0.6", "0.1.0", "0.1.1", "0.1.2", "0.1.3", "0.2.0", "0.2.1", "0.3.0", "0.4.0", "0.4.1", "0.4.2", "0.4.3", "0.4.4", "0.5.0", "0.5.1", "0.6.0", "0.6.1", "0.5.2", "0.7.0", "0.7.1", "0.8.0", "0.8.1", "0.8.2", "0.8.3", "0.8.4", "0.9.0", "0.9.1", "0.9.2", "0.10.0", "0.10.1", "0.11.0", "0.11.1", "0.11.2", "0.11.3", "0.12.0", "0.13.0", "0.13.1", "0.13.2", "0.11.4", "0.13.3", "0.14.0", "0.14.1", "0.14.2", "0.15.0", "0.15.1", "0.15.2", "0.15.3", "0.15.4", "0.15.5", "0.15.6", "0.15.7", "0.15.8", "0.15.9", "0.16.0", "1.0.0", "1.0.1", "1.0.2", "1.0.3", "1.1.0", "1.2.0", "1.3.0", "1.4.0", "1.5.0", "1.6.0", "1.6.1", "1.6.2", "1.7.0", "1.7.1", "1.7.2", "1.7.3", "1.8.0", "1.8.1", "1.8.2", "1.8.3", "1.9.0", "1.9.1", "1.9.2", "1.9.3", "1.9.4", "1.9.5", "1.9.6", "1.9.7", "1.10.0", "1.11.0", "1.11.1", "1.12.0", "1.13.0", "1.14.0", "1.15.0", "1.16.0", "1.16.1", "1.17.0", "1.18.0", "1.19.0", "1.19.1", "1.19.2", "1.19.3", "1.19.4", "1.19.5", "1.20.0", "2.0.0-preview", "0.5.1-a", "0.5.1-b", "0.5.1-b2", "0.5.1-c", "2.0.0", "2.1.0", "2.1.1", "2.1.2", "2.2.0", "2.3.0", "2.4.0", "2.5.0", "2.6.0", "3.0.0", "3.0.1", "3.0.2", "3.1.0", "4.0.0", "4.0.1", "4.0.2", "4.0.3", "4.1.0", "4.1.1", "4.1.2", "4.1.3", "4.1.4", "5.0.0", "5.1.0", "6.0.0", "6.0.1", "6.0.2", "6.1.0", "6.2.0", "6.2.1", "6.2.2", "6.3.0", "6.4.0", "6.5.0", "6.5.1", "6.6.0", "6.7.0", "6.7.1", "6.8.0", "6.8.1", "6.9.0", "6.10.0", "6.11.0", "6.11.1", "7.0.0", "7.0.1", "7.1.0", "7.1.1", "7.2.0", "7.3.0", "7.4.0", "7.5.0", "7.5.1", "7.5.2", "8.0.0", "7.5.3", "8.1.0", "8.2.0", "8.3.0", "8.3.1", "8.4.0", "8.5.0", "8.5.1", "8.5.2", "8.5.3", "8.6.0", "8.6.1", "8.8.0", "8.8.1", "9.0.0", "9.0.1", "9.0.2", "9.0.3", "9.0.4", "9.1.0", "9.2.0", "9.3.0", "9.3.1", "10.0.0", "10.0.1", "10.1.0", "10.2.1", "10.4.0", "10.4.1", "10.5.0", "11.0.0", "11.0.1", "11.0.2", "11.0.3", "11.0.4", "11.0.5", "11.1.0", "11.1.1", "11.1.2", "11.1.3", "9.5.1"]
Secure versions: []
Recommendation: You should install hapi v11.1.4 or newer if you combine server level, connection level, or route level CORS configuration.

295 Other Versions

Version License Security Released
18.1.0 BSD-3-Clause 1 2019-02-04 - 21:52 over 5 years
18.0.1 BSD-3-Clause 1 2019-01-31 - 20:14 over 5 years
18.0.0 BSD-3-Clause 1 2019-01-18 - 20:07 almost 6 years
17.8.5 BSD-3-Clause 1 2019-03-19 - 01:21 over 5 years
17.8.4 BSD-3-Clause 1 2019-02-04 - 21:33 over 5 years
17.8.3 BSD-3-Clause 1 2019-01-31 - 20:11 over 5 years
17.8.2 BSD-3-Clause 1 2019-01-31 - 20:02 over 5 years
17.8.1 BSD-3-Clause 1 2018-11-23 - 04:19 almost 6 years
17.8.0 BSD-3-Clause 1 2018-11-23 - 03:11 almost 6 years
17.7.0 BSD-3-Clause 1 2018-11-06 - 00:50 almost 6 years
17.6.4 BSD-3-Clause 1 2018-11-03 - 04:32 almost 6 years
17.6.3 BSD-3-Clause 1 2018-11-02 - 17:56 almost 6 years
17.6.2 BSD-3-Clause 1 2018-11-01 - 22:31 almost 6 years
17.6.1 BSD-3-Clause 1 2018-11-01 - 22:26 almost 6 years
17.6.0 BSD-3-Clause 1 2018-09-25 - 07:55 about 6 years
17.5.5 BSD-3-Clause 1 2018-09-23 - 06:01 about 6 years
17.5.4 BSD-3-Clause 1 2018-08-28 - 07:46 about 6 years
17.5.3 BSD-3-Clause 1 2018-08-02 - 00:17 over 6 years
17.5.2 BSD-3-Clause 1 2018-06-24 - 04:17 over 6 years
17.5.1 BSD-3-Clause 1 2018-05-30 - 15:18 over 6 years
17.5.0 BSD-3-Clause 1 2018-05-21 - 17:59 over 6 years
17.4.0 BSD-3-Clause 1 2018-04-29 - 00:44 over 6 years
17.3.1 BSD-3-Clause 1 2018-04-02 - 19:18 over 6 years
17.3.0 BSD-3-Clause 1 2018-03-31 - 00:33 over 6 years
17.2.3 BSD-3-Clause 1 2018-03-16 - 05:38 over 6 years
17.2.2 BSD-3-Clause 1 2018-03-07 - 09:17 over 6 years
17.2.1 BSD-3-Clause 1 2018-03-01 - 09:45 over 6 years
17.2.0 BSD-3-Clause 1 2017-12-20 - 06:31 almost 7 years
17.1.1 BSD-3-Clause 1 2017-11-23 - 19:08 almost 7 years
17.1.0 BSD-3-Clause 1 2017-11-23 - 09:46 almost 7 years
17.0.2 BSD-3-Clause 1 2017-11-21 - 07:25 almost 7 years
17.0.1 BSD-3-Clause 1 2017-11-05 - 08:55 almost 7 years
17.0.0 BSD-3-Clause 1 2017-11-03 - 22:30 almost 7 years
17.0.0-rc10 BSD-3-Clause 1 2017-11-03 - 09:52 almost 7 years
17.0.0-rc9 BSD-3-Clause 1 2017-10-22 - 08:56 about 7 years
17.0.0-rc8 BSD-3-Clause 1 2017-10-18 - 09:30 about 7 years
17.0.0-rc6 BSD-3-Clause 1 2017-10-07 - 09:42 about 7 years
17.0.0-rc4 BSD-3-Clause 1 2017-10-06 - 23:19 about 7 years
17.0.0-rc3 BSD-3-Clause 1 2017-10-06 - 09:13 about 7 years
17.0.0-rc2 BSD-3-Clause 1 2017-10-02 - 20:11 about 7 years
17.0.0-rc1 BSD-3-Clause 1 2017-09-28 - 19:24 about 7 years
16.8.4 SEE LICENSE IN LICENSE.md 1 2024-01-06 - 10:28 10 months
16.7.0 BSD-3-Clause 1 2018-11-06 - 03:27 almost 6 years
16.6.5 BSD-3-Clause 1 2018-11-05 - 22:47 almost 6 years
16.6.4 BSD-3-Clause 1 2018-11-02 - 21:52 almost 6 years
16.6.3 BSD-3-Clause 1 2018-03-01 - 09:54 over 6 years
16.6.2 BSD-3-Clause 1 2017-09-25 - 20:37 about 7 years
16.6.1 BSD-3-Clause 1 2017-09-24 - 17:34 about 7 years
16.6.0 BSD-3-Clause 1 2017-09-12 - 19:36 about 7 years
16.5.2 BSD-3-Clause 1 2017-08-04 - 05:01 about 7 years
16.5.1 BSD-3-Clause 1 2017-08-04 - 00:11 about 7 years
16.5.0 BSD-3-Clause 1 2017-07-20 - 08:38 over 7 years
16.4.3 BSD-3-Clause 1 2017-06-09 - 18:33 over 7 years
16.4.2 BSD-3-Clause 1 2017-06-08 - 07:06 over 7 years
16.4.1 BSD-3-Clause 1 2017-06-05 - 17:27 over 7 years
16.4.0 BSD-3-Clause 1 2017-06-05 - 08:13 over 7 years
16.3.1 BSD-3-Clause 1 2017-06-05 - 03:22 over 7 years
16.3.0 BSD-3-Clause 1 2017-05-30 - 20:47 over 7 years
16.2.0 BSD-3-Clause 1 2017-05-29 - 09:41 over 7 years
16.1.1 BSD-3-Clause 1 2017-03-31 - 20:13 over 7 years
16.1.0 BSD-3-Clause 3 2016-12-29 - 22:03 almost 8 years
16.0.3 BSD-3-Clause 3 2016-12-29 - 08:21 almost 8 years
16.0.2 BSD-3-Clause 3 2016-12-19 - 08:38 almost 8 years
16.0.1 BSD-3-Clause 3 2016-12-01 - 19:03 almost 8 years
16.0.0 BSD-3-Clause 3 2016-11-30 - 00:40 almost 8 years
15.2.0 BSD-3-Clause 3 2016-10-20 - 17:13 about 8 years
15.1.1 BSD-3-Clause 3 2016-09-27 - 20:58 about 8 years
15.1.0 BSD-3-Clause 3 2016-09-27 - 00:02 about 8 years
15.0.3 BSD-3-Clause 3 2016-09-01 - 00:07 about 8 years
15.0.2 BSD-3-Clause 3 2016-08-28 - 21:48 about 8 years
15.0.1 BSD-3-Clause 3 2016-08-26 - 23:44 about 8 years
14.2.0 BSD-3-Clause 1 2016-08-13 - 20:38 about 8 years
14.1.0 BSD-3-Clause 1 2016-08-01 - 19:28 over 8 years
14.0.0 BSD-3-Clause 1 2016-07-29 - 18:28 over 8 years
13.5.3 BSD-3-Clause 1 2016-07-29 - 18:57 over 8 years
13.5.0 BSD-3-Clause 1 2016-07-06 - 03:56 over 8 years
13.4.2 BSD-3-Clause 1 2016-07-04 - 04:31 over 8 years
13.4.1 BSD-3-Clause 1 2016-05-21 - 08:11 over 8 years
13.4.0 BSD-3-Clause 1 2016-05-07 - 21:32 over 8 years
13.3.0 BSD-3-Clause 1 2016-04-02 - 17:22 over 8 years
13.2.2 BSD-3-Clause 1 2016-03-25 - 16:50 over 8 years
13.2.1 BSD-3-Clause 1 2016-03-11 - 06:11 over 8 years
13.2.0 BSD-3-Clause 1 2016-03-11 - 06:07 over 8 years
13.1.0 BSD-3-Clause 1 2016-03-10 - 01:50 over 8 years
13.0.0 BSD-3-Clause 1 2016-02-01 - 08:16 over 8 years
12.1.0 BSD-3-Clause 1 2016-01-09 - 22:38 almost 9 years
12.0.1 BSD-3-Clause 1 2016-01-06 - 19:32 almost 9 years
12.0.0 BSD-3-Clause 1 2016-01-04 - 23:10 almost 9 years
11.1.4 BSD-3-Clause 1 2015-12-27 - 16:15 almost 9 years
11.1.3 BSD-3-Clause 3 2015-12-23 - 21:52 almost 9 years
11.1.2 BSD-3-Clause 5 2015-11-21 - 22:30 almost 9 years
11.1.1 BSD-3-Clause 5 2015-11-14 - 17:39 almost 9 years
11.1.0 BSD-3-Clause 5 2015-11-05 - 08:51 almost 9 years
11.0.5 BSD-3-Clause 5 2015-11-03 - 20:53 almost 9 years
11.0.4 BSD-3-Clause 5 2015-11-03 - 08:14 almost 9 years
11.0.3 BSD-3-Clause 5 2015-10-30 - 06:09 about 9 years
11.0.2 BSD-3-Clause 5 2015-10-21 - 15:42 about 9 years
11.0.1 BSD-3-Clause 5 2015-10-20 - 04:47 about 9 years
11.0.0 BSD-3-Clause 5 2015-10-16 - 19:30 about 9 years
10.5.0 BSD-3-Clause 7 2015-10-15 - 16:00 about 9 years