Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTM2M2gtdmo2cS0zY21q

Rosetta-Flash JSONP Vulnerability in hapi

This description taken from the pull request provided by Patrick Kettner.

Versions 6.1.0 and earlier of hapi are vulnerable to a rosetta-flash attack, which can be used by attackers to send data across domains and break the browser same-origin-policy.

Recommendation

Update hapi to version 6.1.1 or later.

Alternatively, a solution previously implemented by Google, Facebook, and Github is to prepend callbacks with an empty inline comment. This will cause the flash parser to break on invalid inputs and prevent the issue, and how the issue has been resolved internally in hapi.

Permalink: https://github.com/advisories/GHSA-363h-vj6q-3cmj
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTM2M2gtdmo2cS0zY21q
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 4 years ago
Updated: almost 2 years ago

EPSS Percentage: 0.06868
EPSS Percentile: 0.93832

Identifiers: GHSA-363h-vj6q-3cmj, CVE-2014-4671
References:

Repository: https://github.com/spumko/hapi
Blast Radius: 0.0

Affected Packages

npm:hapi

Dependent packages: 2,534
Dependent repositories: 32,983
Downloads: 133,345 last month
Affected Version Ranges: < 6.1.0
Fixed in: 6.1.0
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.2.0, 0.2.1, 0.3.0, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.5.0, 0.5.1, 0.5.2, 0.6.0, 0.6.1, 0.7.0, 0.7.1, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.9.0, 0.9.1, 0.9.2, 0.10.0, 0.10.1, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.12.0, 0.13.0, 0.13.1, 0.13.2, 0.13.3, 0.14.0, 0.14.1, 0.14.2, 0.15.0, 0.15.1, 0.15.2, 0.15.3, 0.15.4, 0.15.5, 0.15.6, 0.15.7, 0.15.8, 0.15.9, 0.16.0, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 1.6.1, 1.6.2, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.9.5, 1.9.6, 1.9.7, 1.10.0, 1.11.0, 1.11.1, 1.12.0, 1.13.0, 1.14.0, 1.15.0, 1.16.0, 1.16.1, 1.17.0, 1.18.0, 1.19.0, 1.19.1, 1.19.2, 1.19.3, 1.19.4, 1.19.5, 1.20.0, 2.0.0, 2.1.0, 2.1.1, 2.1.2, 2.2.0, 2.3.0, 2.4.0, 2.5.0, 2.6.0, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 5.0.0, 5.1.0, 6.0.0, 6.0.1, 6.0.2
All unaffected versions: 6.1.0, 6.2.0, 6.2.1, 6.2.2, 6.3.0, 6.4.0, 6.5.0, 6.5.1, 6.6.0, 6.7.0, 6.7.1, 6.8.0, 6.8.1, 6.9.0, 6.10.0, 6.11.0, 6.11.1, 7.0.0, 7.0.1, 7.1.0, 7.1.1, 7.2.0, 7.3.0, 7.4.0, 7.5.0, 7.5.1, 7.5.2, 7.5.3, 8.0.0, 8.1.0, 8.2.0, 8.3.0, 8.3.1, 8.4.0, 8.5.0, 8.5.1, 8.5.2, 8.5.3, 8.6.0, 8.6.1, 8.8.0, 8.8.1, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.1.0, 9.2.0, 9.3.0, 9.3.1, 9.5.1, 10.0.0, 10.0.1, 10.1.0, 10.2.1, 10.4.0, 10.4.1, 10.5.0, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.0.4, 11.0.5, 11.1.0, 11.1.1, 11.1.2, 11.1.3, 11.1.4, 12.0.0, 12.0.1, 12.1.0, 13.0.0, 13.1.0, 13.2.0, 13.2.1, 13.2.2, 13.3.0, 13.4.0, 13.4.1, 13.4.2, 13.5.0, 13.5.3, 14.0.0, 14.1.0, 14.2.0, 15.0.1, 15.0.2, 15.0.3, 15.1.0, 15.1.1, 15.2.0, 16.0.0, 16.0.1, 16.0.2, 16.0.3, 16.1.0, 16.1.1, 16.2.0, 16.3.0, 16.3.1, 16.4.0, 16.4.1, 16.4.2, 16.4.3, 16.5.0, 16.5.1, 16.5.2, 16.6.0, 16.6.1, 16.6.2, 16.6.3, 16.6.4, 16.6.5, 16.7.0, 16.8.4, 17.0.0, 17.0.1, 17.0.2, 17.1.0, 17.1.1, 17.2.0, 17.2.1, 17.2.2, 17.2.3, 17.3.0, 17.3.1, 17.4.0, 17.5.0, 17.5.1, 17.5.2, 17.5.3, 17.5.4, 17.5.5, 17.6.0, 17.6.1, 17.6.2, 17.6.3, 17.6.4, 17.7.0, 17.8.0, 17.8.1, 17.8.2, 17.8.3, 17.8.4, 17.8.5, 18.0.0, 18.0.1, 18.1.0