GHSA-44pw-h2cw-w3vq

Source

https://github.com/advisories/GHSA-44pw-h2cw-w3vq

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-44pw-h2cw-w3vq/GHSA-44pw-h2cw-w3vq.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-44pw-h2cw-w3vq

Aliases

CVE-2022-29167

Published

2022-05-23T20:18:14Z

Modified

2023-11-08T04:09:08.620639Z

Severity

7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H CVSS Calculator

Summary

Uncontrolled Resource Consumption in Hawk

Details

Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse Host HTTP header (Hawk.utils.parseHost()), which was subject to regular expression DoS attack - meaning each added character in the attacker's input increases the computation time exponentially. parseHost() was patched in 9.0.1 to use built-in URL class to parse hostname instead.Hawk.authenticate() accepts options argument. If that contains host and port, those would be used instead of a call to utils.parseHost().

Database specific

{
    "nvd_published_at": "2022-05-05T23:15:00Z",
    "cwe_ids": [
        "CWE-1333",
        "CWE-400"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2022-05-23T20:18:14Z"
}

References

Affected packages

npm / hawk

Package

Name: hawk; View open source insights on deps.dev
Purl: pkg:npm/hawk

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.0.1

Ecosystem specific

{
    "affected_functions": [
        "(hawk).utils.parseHost"
    ]
}