Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00NHB3LWgyY3ctdzN2cc4AAgdL
Uncontrolled Resource Consumption in Hawk
Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse Host
HTTP header (Hawk.utils.parseHost()
), which was subject to regular expression DoS attack - meaning each added character in the attacker's input increases the computation time exponentially. parseHost()
was patched in 9.0.1
to use built-in URL
class to parse hostname instead.Hawk.authenticate()
accepts options
argument. If that contains host
and port
, those would be used instead of a call to utils.parseHost()
.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00NHB3LWgyY3ctdzN2cc4AAgdL
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: 6 months ago
CVSS Score: 7.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H
Identifiers: GHSA-44pw-h2cw-w3vq, CVE-2022-29167
References:
- https://github.com/mozilla/hawk/security/advisories/GHSA-44pw-h2cw-w3vq
- https://nvd.nist.gov/vuln/detail/CVE-2022-29167
- https://github.com/mozilla/hawk/pull/286
- https://github.com/mozilla/hawk/commit/d10d72ca82db967f6c5fcf866ff78e3ca25ce1ab
- https://github.com/advisories/GHSA-44pw-h2cw-w3vq
Blast Radius: 42.6
Affected Packages
npm:hawk
Dependent packages: 199Dependent repositories: 573,332
Downloads: 4,112,271 last month
Affected Version Ranges: < 9.0.1
Fixed in: 9.0.1
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.8, 0.1.0, 0.2.0, 0.3.0, 0.4.0, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.6.0, 0.6.1, 0.7.0, 0.7.1, 0.8.1, 0.9.0, 0.10.0, 0.10.1, 0.10.2, 0.11.0, 0.11.1, 0.12.0, 0.12.1, 0.12.2, 0.13.0, 0.13.1, 0.14.0, 0.15.0, 1.0.0, 1.1.1, 1.1.2, 2.0.0, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.3.0, 2.3.1, 3.0.0, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 4.0.0, 4.0.1, 4.1.0, 4.1.1, 4.1.2, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.1.2, 6.0.0, 6.0.1, 6.0.2, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.9, 7.0.10, 7.1.0, 7.1.1, 7.1.2, 8.0.0, 8.0.1, 9.0.0
All unaffected versions: 9.0.1, 9.0.2