Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2015-9236

UNKNOWN
Published 2018-05-31T20:00:00Z
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2015-9236. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

Hapi versions less than 11.0.0 implement CORS incorrectly and allowed for configurations that at best returned inconsistent headers and at worst allowed cross-origin activities that were expected to be forbidden. If the connection has CORS enabled but one route has it off, and the route is not GET, the OPTIONS prefetch request will return the default CORS headers and then the actual request will go through and return no CORS headers. This defeats the purpose of turning CORS on the route.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

HackerOne

hapi node module

Affected Versions:

<11.0.0

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed MODERATE

Incorrect handling of CORS preflight request headers in hapi

GHSA-vwrf-r5r4-7775

Advisory Details

Versions of `hapi` prior to 11.0.0 implement CORS incorrectly, allowing for configurations that at best return inconsistent headers, and at worst allow cross-origin activities that are expected to be forbidden. If the connection has CORS enabled but one route has it off, and the route is not GET, the OPTIONS prefetch request will return the default CORS headers and then the actual request will go through and return no CORS headers. This defeats the purpose of turning CORS on the route. ## Recommendation Update to version 11.0.0 or later.

Affected Packages

npm hapi
ECOSYSTEM: ≥0 <11.0.0

CVSS Scoring

CVSS Score

5.0

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2015-9236
WEB https://github.com/hapijs/hapi/issues/2840
WEB https://github.com/hapijs/hapi/issues/2850
ADVISORY https://github.com/advisories/GHSA-vwrf-r5r4-7775
WEB https://www.npmjs.com/advisories/45

Advisory provided by GitHub Security Advisory Database. Published: June 7, 2018, Modified: August 31, 2020

References

https://github.com/hapijs/hapi/issues/2850
https://github.com/hapijs/hapi/issues/2840
https://nodesecurity.io/advisories/45
Published: 2018-05-31T20:00:00Z
Last Modified: 2024-09-17T04:15:13.448Z
Copied to clipboard!