3nit-utils (=0.24.0), @cloudinary/mediaflows-cli (>=0.0.23-beta <=0.0.28) +40 more potentially affected by unknown CVE via @hapi/hapi (>=17.9.0 <=18.4.0)

@hapi/hapi NPM version =17.9.0, =0.0.23-beta, =0.4.0, =7.4.0, =7.0.0, =8.5.0, =0.1.0, =0.7.0, =2.12.6, =1.8.0, =1.8.0, =3.1.0, =3.2.2 and more Source cves: unknown CVE Source advisory: OSV:GHSA-23VW-MHV5-GRV5...

3nit-components (>=0.0.2 <=0.0.4), 3nit-utils (>=0.3.0 <=0.23.0) +1619 more potentially affected by unknown CVE via hapi (>=0.14.2 <=9.5.1)

hapi NPM version =0.14.2, =0.0.2, =0.3.0, =1.0.0, =1.16.0, =1.16.0, =1.16.0, =1.0.0, =0.0.1, =0.1.0, =0.9.0, =1.0.7, =0.0.1, =1.0.8, =11.1.27-alpha.4606607431 and more Source cves: unknown CVE Source advisory: OSV:GHSA-7HX8-2RXV-66XV...

@kmanion/senpai (=1.0.0), be-more-hapi (=1.0.0-rc.1.1) +39 more potentially affected by CVE-2015-9243 via hapi (>=0.14.2 <=11.1.2)

hapi NPM version =0.14.2, =0.1.0-pre, =0.0.2, =0.0.7, =0.1.0, =0.1.0, =0.0.1, =0.0.4 - hapi-auth-passthrough =1.0.0 - hapi-exit =0.0.2 - hapi-mongoose-connect =1.0.0 - hapi-register-example =1.0.1 and more Source cves: CVE-2015-9243 Source advisory: OSV:GHSA-J3G2-M5JJ-6336...

3nit-components (>=0.0.2 <=0.0.4), 3nit-utils (>=0.3.0 <=0.23.0) +1450 more potentially affected by CVE-2014-4671 via hapi (>=0.14.2 <=6.11.1)

hapi NPM version =0.14.2, =0.0.2, =0.3.0, =1.0.0, =1.16.0, =1.16.0, =1.16.0, =1.0.0, =0.0.1, =0.1.0, =0.9.0, =1.0.7, =0.0.1, =1.0.8, =11.1.27-alpha.4606607431 and more Source cves: CVE-2014-4671 Source advisory: OSV:GHSA-363H-VJ6Q-3CMJ...

Timing Attack Through Insecure Password Comparison

hapi is vulnerable to timing attacks through constant time password comparison. The vulnerability exists due to the usage of !== to compare two password strings, allowing timing attacks to occur...

@kmanion/senpai (=1.0.0), briskly (>=0.1.0-pre <=0.1.1-pre) +37 more potentially affected by CVE-2015-9236 via hapi (>=0.14.2 <=10.5.0)

hapi NPM version =0.14.2, =0.1.0-pre, =0.0.2, =0.0.7, =0.1.0, =0.1.0, =0.0.1, =0.0.4 - hapi-auth-passthrough =1.0.0 - hapi-exit =0.0.2 - hapi-mongoose-connect =1.0.0 - hapi-register-example =1.0.1 - hapi-sass-example =0.1.0 and more Source cves: CVE-2015-9236 Source advisory: OSV:GHSA-VWRF-R5R4-7...

@kmanion/senpai (=1.0.0), be-more-hapi (=1.0.0-rc.1.1) +39 more potentially affected by CVE-2015-9241 via hapi (>=0.14.2 <=11.1.2)

hapi NPM version =0.14.2, =0.1.0-pre, =0.0.2, =0.0.7, =0.1.0, =0.1.0, =0.0.1, =0.0.4 - hapi-auth-passthrough =1.0.0 - hapi-exit =0.0.2 - hapi-mongoose-connect =1.0.0 - hapi-register-example =1.0.1 and more Source cves: CVE-2015-9241 Source advisory: OSV:GHSA-RC8H-3FV6-PXV8...

Unsafe Merging of CORS Configuration Conflict

Overview Versions of hapi prior to 11.1.4 are affected by a vulnerability that causes route-level CORS configuration to override connection-level or server-level CORS defaults. This may result in a situation where CORS permissions are less restrictive than intended. Recommendation Update hapi to...

Denial of Service

Overview Versions of hapi prior to 11.1.3 are affected by a denial of service vulnerability. The vulnerability is triggered when certain input is passed into the If-Modified-Since or Last-Modified headers. This causes an 'illegal access' exception to be raised, and instead of sending a HTTP 500...

Rosetta-Flash JSONP Vulnerability

Overview This description taken from the pull request provided by Patrick Kettner. Versions 6.1.0 and earlier of hapi are vulnerable to a rosetta-flash attack, which can be used by attackers to send data across domains and break the browser same-origin-policy. Recommendation - Update hapi to...