CVE-2022-29167 – hawk

Package

Manager: npm
Name: hawk
Vulnerable Version: >=0 <9.0.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00115 pctl0.30916

Details

Uncontrolled Resource Consumption in Hawk Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse `Host` HTTP header (`Hawk.utils.parseHost()`), which was subject to regular expression DoS attack - meaning each added character in the attacker's input increases the computation time exponentially. `parseHost()` was patched in `9.0.1` to use built-in `URL` class to parse hostname instead.`Hawk.authenticate()` accepts `options` argument. If that contains `host` and `port`, those would be used instead of a call to `utils.parseHost()`.

Metadata

Created: 2022-05-23T20:18:14Z
Modified: 2022-05-23T20:18:14Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-44pw-h2cw-w3vq/GHSA-44pw-h2cw-w3vq.json
CWE IDs: ["CWE-1333", "CWE-400"]
Alternative ID: GHSA-44pw-h2cw-w3vq
Finding: F067
Auto approve: 1