CVE-2014-7193

描述

When CORS is enabled on a hapi route handler, it is possible to set a crumb token for a different domain. An attacker would need to have an application consumer visit a site they control, request a route supporting CORS, and then retrieve the token. With this token, they could possibly make requests to non CORS routes as this user. A configuration and scenario where this would occur is unlikely, as most configurations will set CORS globally (where crumb is not used), or not at all. ## Recommendation Update to version 3.0.0 or greater.

如何修補 CVE-2014-7193

要修補 CVE-2014-7193,請將受影響套件升級到下列已修補版本。

• —升級至 3.0.0 或更新版本

CVE-2014-7193 正在被利用嗎?

低 — EPSS 為 0.2%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• from 0, < 3.0.0

參考連結(5)

• ADVISORYgithub.com/advisories/GHSA-84fq-6626-w5fg
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2014-7193
• WEBgithub.com/hapijs/crumb/commit/5e6d4f5c81677fe9e362837ffd4a02394303db3c
• WEBgithub.com/spumko/crumb/commit/5e6d4f5c81677fe9e362837ffd4a02394303db3c