CVE-2015-9236

{"id": "CVE-2015-9236", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": true, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2018-05-31T20:29:00.360", "references": [{"url": "https://github.com/hapijs/hapi/issues/2840", "tags": ["Patch", "Third Party Advisory"], "source": "support@hackerone.com"}, {"url": "https://github.com/hapijs/hapi/issues/2850", "tags": ["Release Notes", "Third Party Advisory"], "source": "support@hackerone.com"}, {"url": "https://nodesecurity.io/advisories/45", "tags": ["Third Party Advisory"], "source": "support@hackerone.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-200"}]}, {"type": "Secondary", "source": "support@hackerone.com", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "Hapi versions less than 11.0.0 implement CORS incorrectly and allowed for configurations that at best returned inconsistent headers and at worst allowed cross-origin activities that were expected to be forbidden. If the connection has CORS enabled but one route has it off, and the route is not GET, the OPTIONS prefetch request will return the default CORS headers and then the actual request will go through and return no CORS headers. This defeats the purpose of turning CORS on the route."}, {"lang": "es", "value": "Hapi, en versiones anteriores a la 11.0.0, implementa CORS incorrectamente y permite configuraciones que devuelven cabeceras inconsistentes y, en el peor de los casos, permite actividades Cross-Origin que se espera que est\u00e9n prohibidas. Si la conexi\u00f3n tiene CORS habilitado pero una ruta no la tiene (y, adem\u00e1s, la ruta no es GET), la petici\u00f3n prefetch OPTIONS devolver\u00e1 las cabeceras CORS por defecto y, despu\u00e9s, la petici\u00f3n real pasar\u00e1 y no devolver\u00e1 cabeceras CORS. Esto contradice la finalidad de habilitar CORS en la ruta."}], "lastModified": "2019-10-09T23:15:57.883", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:hapijs:hapi:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "1A8F75AB-20F3-46E7-AB01-F771B607E8A0", "versionEndExcluding": "11.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "support@hackerone.com"}