GHSA-84fv-prrc-5ggr

Опубликовано: 18 фев. 2019

Источник: github

Github: Прошло ревью

Описание

Route Validation Bypass in call

Affected versions of call do not validate empty parameters, which may result in a bypass of route validation rules.

Proof of Concept

Routing Scheme:

/api/{param}/{param2}/details

Triggering Request Path:

/api///

Recommendation

Update to version 3.0.2 or later.

Ссылки

Пакеты

Наименование

call

npm

Затронутые версииВерсия исправления

>= 2.0.1, < 3.0.2

3.0.2

EPSS

Процентиль: 47%

0.00237

Низкий

CVE ID

CVE-2016-10543

Дефекты

CWE-20

Связанные уязвимости

CVE-2016-10543

CVSS3: 5.3

nvd

больше 7 лет назад

call is an HTTP router that is primarily used by the hapi framework. There exists a bug in call versions 2.0.1-3.0.1 that does not validate empty parameters, which could result in invalid input bypassing the route validation rules.

EPSS

Процентиль: 47%

0.00237

Низкий

CVE ID

CVE-2016-10543

Дефекты

CWE-20