npm package
hapi
pkg:npm/hapi
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2017-16013 | — | >= 15.0.0, < 16.1.1 | 16.1.1 | Jun 4, 2018 | hapi is a web and services application framework. When hapi >= 15.0.0 <= 16.1.0 encounters a malformed `accept-encoding` header an uncaught exception is thrown. This may cause hapi to crash or to hang the client connection until the timeout period is reached. | ||
| CVE-2015-9236 | — | < 11.0.0 | 11.0.0 | May 31, 2018 | Hapi versions less than 11.0.0 implement CORS incorrectly and allowed for configurations that at best returned inconsistent headers and at worst allowed cross-origin activities that were expected to be forbidden. If the connection has CORS enabled but one route has it off, and th | ||
| CVE-2015-9243 | — | < 11.1.4 | 11.1.4 | May 29, 2018 | When server level, connection level or route level CORS configurations in hapi node module before 11.1.4 are combined and when a higher level config included security restrictions (like origin), a higher level config that included security restrictions (like origin) would have th | ||
| CVE-2015-9241 | — | < 11.1.3 | 11.1.3 | May 29, 2018 | Certain input passed into the If-Modified-Since or Last-Modified headers will cause an 'illegal access' exception to be raised. Instead of sending a HTTP 500 error back to the sender, hapi node module before 11.1.3 will continue to hold the socket open until timed out (default no | ||
| CVE-2014-4671 | — | < 6.1.0 | 6.1.0 | Jul 9, 2014 | Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 do not properly restrict the SWF file form | ||
| CVE-2014-3742 | — | >= 2.0.0, < 2.2.0 | 2.2.0 | May 16, 2014 | The hapi server framework 2.0.x and 2.1.x before 2.2.0 for Node.js allows remote attackers to cause a denial of service (file descriptor consumption and process crash) via unspecified vectors. |
- CVE-2017-16013Jun 4, 2018affected >= 15.0.0, < 16.1.1fixed 16.1.1
hapi is a web and services application framework. When hapi >= 15.0.0 <= 16.1.0 encounters a malformed `accept-encoding` header an uncaught exception is thrown. This may cause hapi to crash or to hang the client connection until the timeout period is reached.
- CVE-2015-9236May 31, 2018affected < 11.0.0fixed 11.0.0
Hapi versions less than 11.0.0 implement CORS incorrectly and allowed for configurations that at best returned inconsistent headers and at worst allowed cross-origin activities that were expected to be forbidden. If the connection has CORS enabled but one route has it off, and th
- CVE-2015-9243May 29, 2018affected < 11.1.4fixed 11.1.4
When server level, connection level or route level CORS configurations in hapi node module before 11.1.4 are combined and when a higher level config included security restrictions (like origin), a higher level config that included security restrictions (like origin) would have th
- CVE-2015-9241May 29, 2018affected < 11.1.3fixed 11.1.3
Certain input passed into the If-Modified-Since or Last-Modified headers will cause an 'illegal access' exception to be raised. Instead of sending a HTTP 500 error back to the sender, hapi node module before 11.1.3 will continue to hold the socket open until timed out (default no
- CVE-2014-4671Jul 9, 2014affected < 6.1.0fixed 6.1.0
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 do not properly restrict the SWF file form
- CVE-2014-3742May 16, 2014affected >= 2.0.0, < 2.2.0fixed 2.2.0
The hapi server framework 2.0.x and 2.1.x before 2.2.0 for Node.js allows remote attackers to cause a denial of service (file descriptor consumption and process crash) via unspecified vectors.