CVE-2015-9236 - OpenCVE

Hapi versions less than 11.0.0 implement CORS incorrectly and allowed for configurations that at best returned inconsistent headers and at worst allowed cross-origin activities that were expected to be forbidden. If the connection has CORS enabled but one route has it off, and the route is not GET, the OPTIONS prefetch request will return the default CORS headers and then the actual request will go through and return no CORS headers. This defeats the purpose of turning CORS on the route.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Hapijs	Hapi

Configuration 1 [-]

cpe:2.3:a:hapijs:hapi:*:*:*:*:*:node.js:*:*

References

Link	Resource
https://github.com/hapijs/hapi/issues/2840	Patch Third Party Advisory
https://github.com/hapijs/hapi/issues/2850	Release Notes Third Party Advisory
https://nodesecurity.io/advisories/45	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: hackerone

Published: 2018-04-26T00:00:00

Updated: 2018-05-31T19:57:01

Reserved: 2017-10-29T00:00:00

Link: CVE-2015-9236

JSON object: View

NVD Information

Status : Modified

Published: 2018-05-31T20:29:00.360

Modified: 2019-10-09T23:15:57.883

Link: CVE-2015-9236

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "hapi node module", "vendor": "HackerOne", "versions": [{"status": "affected", "version": "<11.0.0"}]}], "datePublic": "2018-04-26T00:00:00", "descriptions": [{"lang": "en", "value": "Hapi versions less than 11.0.0 implement CORS incorrectly and allowed for configurations that at best returned inconsistent headers and at worst allowed cross-origin activities that were expected to be forbidden. If the connection has CORS enabled but one route has it off, and the route is not GET, the OPTIONS prefetch request will return the default CORS headers and then the actual request will go through and return no CORS headers. This defeats the purpose of turning CORS on the route."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "Improper Access Control - Generic (CWE-284)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-05-31T19:57:01", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/hapijs/hapi/issues/2850"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/hapijs/hapi/issues/2840"}, {"tags": ["x_refsource_MISC"], "url": "https://nodesecurity.io/advisories/45"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "support@hackerone.com", "DATE_PUBLIC": "2018-04-26T00:00:00", "ID": "CVE-2015-9236", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "hapi node module", "version": {"version_data": [{"version_value": "<11.0.0"}]}}]}, "vendor_name": "HackerOne"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Hapi versions less than 11.0.0 implement CORS incorrectly and allowed for configurations that at best returned inconsistent headers and at worst allowed cross-origin activities that were expected to be forbidden. If the connection has CORS enabled but one route has it off, and the route is not GET, the OPTIONS prefetch request will return the default CORS headers and then the actual request will go through and return no CORS headers. This defeats the purpose of turning CORS on the route."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper Access Control - Generic (CWE-284)"}]}]}, "references": {"reference_data": [{"name": "https://github.com/hapijs/hapi/issues/2850", "refsource": "MISC", "url": "https://github.com/hapijs/hapi/issues/2850"}, {"name": "https://github.com/hapijs/hapi/issues/2840", "refsource": "MISC", "url": "https://github.com/hapijs/hapi/issues/2840"}, {"name": "https://nodesecurity.io/advisories/45", "refsource": "MISC", "url": "https://nodesecurity.io/advisories/45"}]}}}}, "cveMetadata": {"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2015-9236", "datePublished": "2018-04-26T00:00:00", "dateReserved": "2017-10-29T00:00:00", "dateUpdated": "2018-05-31T19:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hapijs:hapi:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "1A8F75AB-20F3-46E7-AB01-F771B607E8A0", "versionEndExcluding": "11.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Hapi versions less than 11.0.0 implement CORS incorrectly and allowed for configurations that at best returned inconsistent headers and at worst allowed cross-origin activities that were expected to be forbidden. If the connection has CORS enabled but one route has it off, and the route is not GET, the OPTIONS prefetch request will return the default CORS headers and then the actual request will go through and return no CORS headers. This defeats the purpose of turning CORS on the route."}, {"lang": "es", "value": "Hapi, en versiones anteriores a la 11.0.0, implementa CORS incorrectamente y permite configuraciones que devuelven cabeceras inconsistentes y, en el peor de los casos, permite actividades Cross-Origin que se espera que est\u00e9n prohibidas. Si la conexi\u00f3n tiene CORS habilitado pero una ruta no la tiene (y, adem\u00e1s, la ruta no es GET), la petici\u00f3n prefetch OPTIONS devolver\u00e1 las cabeceras CORS por defecto y, despu\u00e9s, la petici\u00f3n real pasar\u00e1 y no devolver\u00e1 cabeceras CORS. Esto contradice la finalidad de habilitar CORS en la ruta."}], "id": "CVE-2015-9236", "lastModified": "2019-10-09T23:15:57.883", "metrics": {"cvssMetricV2": [{"acInsufInfo": true, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-05-31T20:29:00.360", "references": [{"source": "support@hackerone.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/hapijs/hapi/issues/2840"}, {"source": "support@hackerone.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/hapijs/hapi/issues/2850"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://nodesecurity.io/advisories/45"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-284"}], "source": "support@hackerone.com", "type": "Secondary"}]}