Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTM2M2gtdmo2cS0zY21q

Moderate EPSS: 0.37759% (0.97039 Percentile) EPSS:
Permalink JSON

Rosetta-Flash JSONP Vulnerability in hapi

Affected Packages Affected Versions Fixed Versions
npm:hapi
PURL: pkg:npm/hapi
< 6.1.0 6.1.0
2,534 Dependent packages
32,983 Dependent repositories
299,509 Downloads last month

Affected Version Ranges

All affected versions

0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.2.0, 0.2.1, 0.3.0, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.5.0, 0.5.1, 0.5.1-a, 0.5.1-b, 0.5.1-b2, 0.5.1-c, 0.5.2, 0.6.0, 0.6.1, 0.7.0, 0.7.1, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.9.0, 0.9.1, 0.9.2, 0.10.0, 0.10.1, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.12.0, 0.13.0, 0.13.1, 0.13.2, 0.13.3, 0.14.0, 0.14.1, 0.14.2, 0.15.0, 0.15.1, 0.15.2, 0.15.3, 0.15.4, 0.15.5, 0.15.6, 0.15.7, 0.15.8, 0.15.9, 0.16.0, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 1.6.1, 1.6.2, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.9.5, 1.9.6, 1.9.7, 1.10.0, 1.11.0, 1.11.1, 1.12.0, 1.13.0, 1.14.0, 1.15.0, 1.16.0, 1.16.1, 1.17.0, 1.18.0, 1.19.0, 1.19.1, 1.19.2, 1.19.3, 1.19.4, 1.19.5, 1.20.0, 2.0.0, 2.0.0-preview, 2.1.0, 2.1.1, 2.1.2, 2.2.0, 2.3.0, 2.4.0, 2.5.0, 2.6.0, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 5.0.0, 5.1.0, 6.0.0, 6.0.1, 6.0.2

All unaffected versions

6.1.0, 6.2.0, 6.2.1, 6.2.2, 6.3.0, 6.4.0, 6.5.0, 6.5.1, 6.6.0, 6.7.0, 6.7.1, 6.8.0, 6.8.1, 6.9.0, 6.10.0, 6.11.0, 6.11.1, 7.0.0, 7.0.1, 7.1.0, 7.1.1, 7.2.0, 7.3.0, 7.4.0, 7.5.0, 7.5.1, 7.5.2, 7.5.3, 8.0.0, 8.1.0, 8.2.0, 8.3.0, 8.3.1, 8.4.0, 8.5.0, 8.5.1, 8.5.2, 8.5.3, 8.6.0, 8.6.1, 8.8.0, 8.8.1, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.1.0, 9.2.0, 9.3.0, 9.3.1, 9.5.1, 10.0.0, 10.0.1, 10.1.0, 10.2.1, 10.4.0, 10.4.1, 10.5.0, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.0.4, 11.0.5, 11.1.0, 11.1.1, 11.1.2, 11.1.3, 11.1.4, 12.0.0, 12.0.1, 12.1.0, 13.0.0, 13.1.0, 13.2.0, 13.2.1, 13.2.2, 13.3.0, 13.4.0, 13.4.1, 13.4.2, 13.5.0, 13.5.3, 14.0.0, 14.1.0, 14.2.0, 15.0.1, 15.0.2, 15.0.3, 15.1.0, 15.1.1, 15.2.0, 16.0.0, 16.0.1, 16.0.2, 16.0.3, 16.1.0, 16.1.1, 16.2.0, 16.3.0, 16.3.1, 16.4.0, 16.4.1, 16.4.2, 16.4.3, 16.5.0, 16.5.1, 16.5.2, 16.6.0, 16.6.1, 16.6.2, 16.6.3, 16.6.4, 16.6.5, 16.7.0, 16.8.4, 17.0.0, 17.0.1, 17.0.2, 17.1.0, 17.1.1, 17.2.0, 17.2.1, 17.2.2, 17.2.3, 17.3.0, 17.3.1, 17.4.0, 17.5.0, 17.5.1, 17.5.2, 17.5.3, 17.5.4, 17.5.5, 17.6.0, 17.6.1, 17.6.2, 17.6.3, 17.6.4, 17.7.0, 17.8.0, 17.8.1, 17.8.2, 17.8.3, 17.8.4, 17.8.5, 18.0.0, 18.0.1, 18.1.0

This description taken from the pull request provided by Patrick Kettner.

Versions 6.1.0 and earlier of hapi are vulnerable to a rosetta-flash attack, which can be used by attackers to send data across domains and break the browser same-origin-policy.

Recommendation

  • Update hapi to version 6.1.1 or later.

Alternatively, a solution previously implemented by Google, Facebook, and Github is to prepend callbacks with an empty inline comment. This will cause the flash parser to break on invalid inputs and prevent the issue, and how the issue has been resolved internally in hapi.

References:

Identifiers

GHSA-363h-vj6q-3cmj

CVE-2014-4671

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.37759

EPSS Percentile: 0.97039

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/spumko/hapi

Date and time

Published

about 5 years ago

Updated

over 2 years ago

API

JSON