Vulnerability Details : CVE-2016-10543
call is an HTTP router that is primarily used by the hapi framework. There exists a bug in call versions 2.0.1-3.0.1 that does not validate empty parameters, which could result in invalid input bypassing the route validation rules.
Vulnerability category: Input validation
Exploit prediction scoring system (EPSS) score for CVE-2016-10543
Probability of exploitation activity in the next 30 days: 0.12%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 45 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2016-10543
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST |
5.3
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
3.9
|
1.4
|
NIST |
CWE ids for CVE-2016-10543
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by:
- nvd@nist.gov (Primary)
- support@hackerone.com (Secondary)
References for CVE-2016-10543
-
https://nodesecurity.io/advisories/121
npmExploit;Third Party Advisory
-
https://github.com/hapijs/hapi/issues/3228
Update hapijs/call to 3.0.2 from 3.0.1 · Issue #3228 · hapijs/hapi · GitHubThird Party Advisory
Products affected by CVE-2016-10543
- Call Project » Call » For Node.jsVersions from including (>=) 2.0.1 and up to, including, (<=) 3.0.1cpe:2.3:a:call_project:call:*:*:*:*:*:node.js:*:*