CVE-2014-7193 — CORS Token Disclosure in crumb

Description

When CORS is enabled on a hapi route handler, it is possible to set a crumb token for a different domain. An attacker would need to have an application consumer visit a site they control, request a route supporting CORS, and then retrieve the token. With this token, they could possibly make requests to non CORS routes as this user. A configuration and scenario where this would occur is unlikely, as most configurations will set CORS globally (where crumb is not used), or not at all. ## Recommendation Update to version 3.0.0 or greater.

How to fix CVE-2014-7193

To remediate CVE-2014-7193, upgrade the affected package to a fixed version below.

—upgrade to 3.0.0 or later

Is CVE-2014-7193 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 3.0.0

References (5)

ADVISORYgithub.com/advisories/GHSA-84fq-6626-w5fg
ADVISORYnvd.nist.gov/vuln/detail/CVE-2014-7193
WEBgithub.com/hapijs/crumb/commit/5e6d4f5c81677fe9e362837ffd4a02394303db3c
WEBgithub.com/spumko/crumb/commit/5e6d4f5c81677fe9e362837ffd4a02394303db3c