Cross-Origin Resource Sharing Misconfiguration in Hapi Framework
CVE-2015-9236

5.3MEDIUM

Key Information:

Vendor: Hackerone
Status: Hapi Node Module
Vendor: CVE Published:; 31 May 2018

What is CVE-2015-9236?

The Hapi Framework prior to version 11.0.0 has a security misconfiguration regarding Cross-Origin Resource Sharing (CORS). This vulnerability allows for inconsistent CORS headers to be returned, leading to a situation where cross-origin requests can bypass restrictions intended to secure the application. Specifically, when CORS is enabled, if one route has it disabled and the request type is not a GET request, the OPTIONS preflight request may respond with the default CORS headers, creating a false sense of security. Consequently, the actual request bypasses the expected CORS checks, exposing the application to potential cross-origin attacks.

Affected Version(s)

hapi node module <11.0.0

References

https://github.com/hapijs/hapi/issues/2850

x_refsource_MISC

https://github.com/hapijs/hapi/issues/2840

x_refsource_MISC

https://nodesecurity.io/advisories/45

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 31, 2018
Vulnerability Reserved
Oct 29, 2017

Hackerone

What is CVE-2015-9236?

Affected Version(s)

References

CVSS V3.1

Timeline