CVE-2015-9243

Опубликовано: 29 мая 2018

Источник: nvd

CVSS3: 5.9

CVSS2: 4.3

EPSS Низкий

Описание

When server level, connection level or route level CORS configurations in hapi node module before 11.1.4 are combined and when a higher level config included security restrictions (like origin), a higher level config that included security restrictions (like origin) would have those restrictions overridden by less restrictive defaults (e.g. origin defaults to all origins *).

Ссылки

https://github.com/hapijs/hapi/issues/2980
Exploit
Issue Tracking
Third Party Advisory
https://nodesecurity.io/advisories/65
Third Party Advisory
https://github.com/hapijs/hapi/issues/2980
Exploit
Issue Tracking
Third Party Advisory
https://nodesecurity.io/advisories/65
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:hapijs:hapi:*:*:*:*:*:node.js:*:*

Версия до 11.1.4 (исключая)

EPSS

Процентиль: 38%

0.00165

Низкий

5.9 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-284

CWE-254

Связанные уязвимости

GHSA-j3g2-m5jj-6336

github

больше 5 лет назад

Unsafe Merging of CORS Configuration Conflict in hapi