4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.015 Low
EPSS
Percentile
87.2%
This description taken from the pull request provided by Patrick Kettner.
Versions 6.1.0 and earlier of hapi are vulnerable to a rosetta-flash attack, which can be used by attackers to send data across domains and break the browser same-origin-policy.
Alternatively, a solution previously implemented by Google, Facebook, and Github is to prepend callbacks with an empty inline comment. This will cause the flash parser to break on invalid inputs and prevent the issue, and how the issue has been resolved internally in hapi.
helpx.adobe.com/security/products/flash-player/apsb14-17.html
miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
rhn.redhat.com/errata/RHSA-2014-0860.html
secunia.com/advisories/59774
secunia.com/advisories/59837
security.gentoo.org/glsa/glsa-201407-02.xml
www.securityfocus.com/bid/68457
www.securitytracker.com/id/1030533
github.com/advisories/GHSA-363h-vj6q-3cmj
github.com/hapijs/hapi/commit/d47f57abf23bdaa84f61aed2bac94ae5f358afb7
github.com/patrickkettner
github.com/spumko/hapi/pull/1766
nvd.nist.gov/vuln/detail/CVE-2014-4671
www.npmjs.com/advisories/12