CVE-2015-9241 - OpenCVE

Certain input passed into the If-Modified-Since or Last-Modified headers will cause an 'illegal access' exception to be raised. Instead of sending a HTTP 500 error back to the sender, hapi node module before 11.1.3 will continue to hold the socket open until timed out (default node timeout is 2 minutes).

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Hapijs	Hapi

Configuration 1 [-]

cpe:2.3:a:hapijs:hapi:*:*:*:*:*:node.js:*:*

References

Link	Resource
https://github.com/hapijs/hapi/commit/aab2496e930dce5ee1ab28eecec94e0e45f03580	Patch Third Party Advisory
https://github.com/jfhbrook/node-ecstatic/pull/179	Exploit Issue Tracking Third Party Advisory
https://nodesecurity.io/advisories/63	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: hackerone

Published: 2018-04-26T00:00:00

Updated: 2018-05-29T19:57:02

Reserved: 2017-10-29T00:00:00

Link: CVE-2015-9241

JSON object: View

NVD Information

Status : Modified

Published: 2018-05-29T20:29:00.440

Modified: 2019-10-09T23:15:58.277

Link: CVE-2015-9241

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "hapi node module", "vendor": "HackerOne", "versions": [{"status": "affected", "version": "<11.1.3"}]}], "datePublic": "2018-04-26T00:00:00", "descriptions": [{"lang": "en", "value": "Certain input passed into the If-Modified-Since or Last-Modified headers will cause an 'illegal access' exception to be raised. Instead of sending a HTTP 500 error back to the sender, hapi node module before 11.1.3 will continue to hold the socket open until timed out (default node timeout is 2 minutes)."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "Denial of Service (CWE-400)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-05-29T19:57:02", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/jfhbrook/node-ecstatic/pull/179"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/hapijs/hapi/commit/aab2496e930dce5ee1ab28eecec94e0e45f03580"}, {"tags": ["x_refsource_MISC"], "url": "https://nodesecurity.io/advisories/63"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "support@hackerone.com", "DATE_PUBLIC": "2018-04-26T00:00:00", "ID": "CVE-2015-9241", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "hapi node module", "version": {"version_data": [{"version_value": "<11.1.3"}]}}]}, "vendor_name": "HackerOne"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Certain input passed into the If-Modified-Since or Last-Modified headers will cause an 'illegal access' exception to be raised. Instead of sending a HTTP 500 error back to the sender, hapi node module before 11.1.3 will continue to hold the socket open until timed out (default node timeout is 2 minutes)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Denial of Service (CWE-400)"}]}]}, "references": {"reference_data": [{"name": "https://github.com/jfhbrook/node-ecstatic/pull/179", "refsource": "MISC", "url": "https://github.com/jfhbrook/node-ecstatic/pull/179"}, {"name": "https://github.com/hapijs/hapi/commit/aab2496e930dce5ee1ab28eecec94e0e45f03580", "refsource": "MISC", "url": "https://github.com/hapijs/hapi/commit/aab2496e930dce5ee1ab28eecec94e0e45f03580"}, {"name": "https://nodesecurity.io/advisories/63", "refsource": "MISC", "url": "https://nodesecurity.io/advisories/63"}]}}}}, "cveMetadata": {"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2015-9241", "datePublished": "2018-04-26T00:00:00", "dateReserved": "2017-10-29T00:00:00", "dateUpdated": "2018-05-29T19:57:02", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hapijs:hapi:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "C824DAF6-2DA3-41AB-B2E4-D3D40AB72C83", "versionEndExcluding": "11.1.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Certain input passed into the If-Modified-Since or Last-Modified headers will cause an 'illegal access' exception to be raised. Instead of sending a HTTP 500 error back to the sender, hapi node module before 11.1.3 will continue to hold the socket open until timed out (default node timeout is 2 minutes)."}, {"lang": "es", "value": "Ciertas entradas pasadas a las cabeceras If-Modified-Since o Last-Modified provocar\u00e1n una excepci\u00f3n \"illegal access\". En lugar de enviar un error HTTP 500 de nuevo al remitente, el m\u00f3dulo hapi node en versiones anteriores a la 11.1.3 seguir\u00e1 manteniendo abierto el socket hasta que se agote el tiempo (el tiempo de agotamiento por defecto es de 2 minutos)."}], "id": "CVE-2015-9241", "lastModified": "2019-10-09T23:15:58.277", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-05-29T20:29:00.440", "references": [{"source": "support@hackerone.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/hapijs/hapi/commit/aab2496e930dce5ee1ab28eecec94e0e45f03580"}, {"source": "support@hackerone.com", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/jfhbrook/node-ecstatic/pull/179"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://nodesecurity.io/advisories/63"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "support@hackerone.com", "type": "Secondary"}]}