Lucene search

HackeroneCVE-2017-16013

HistoryJun 04, 2018 - 7:29 p.m.

CVE-2017-16013

2018-06-0419:29:00

CWE-400

CWE-20

hackerone

web.nvd.nist.gov

hapi

web application

services

framework

cve-2017-16013

security vulnerability

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

43.0%

JSON

hapi is a web and services application framework. When hapi >= 15.0.0 <= 16.1.0 encounters a malformed accept-encoding header an uncaught exception is thrown. This may cause hapi to crash or to hang the client connection until the timeout period is reached.

Affected configurations

Nvd

Node

hapijshapiRange15.0.0–16.1.0node.js

VendorProductVersionCPE
hapijshapi*cpe:2.3:a:hapijs:hapi:*:*:*:*:*:node.js:*:*

Vendor	Product	Version	CPE
hapijs	hapi	*	cpe:2.3:a:hapijs:hapi::::::node.js::*

CNA Affected

[
  {
    "product": "hapi node module",
    "vendor": "HackerOne",
    "versions": [
      {
        "status": "affected",
        "version": ">= 15.0.0 <= 16.1.0"
      }
    ]
  }
]

References

github.com/hapijs/hapi/issues/3466

nodesecurity.io/advisories/335

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

43.0%

JSON

Related for CVE-2017-16013