You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse Host HTTP header (Hawk.utils.parseHost()), which was subject to regular expression DoS attack - meaning each added character in the attacker's input increases the computation time exponentially. parseHost() was patched in 9.0.1 to use built-in URL class to parse hostname instead. Hawk.authenticate() accepts options argument. If that contains host and port, those would be used instead of a call to utils.parseHost().
CVE-2022-29167 - High Severity Vulnerability
Vulnerable Library - hawk-3.1.3.tgz
HTTP Hawk Authentication Scheme
Library home page: https://registry.npmjs.org/hawk/-/hawk-3.1.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/hawk/package.json,/node_modules/npm/node_modules/request/node_modules/hawk/package.json
Dependency Hierarchy:
Found in HEAD commit: dd2759fc7ed6b3de42e3dc57ab3559ee4ffeb349
Found in base branch: master
Vulnerability Details
Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse
Host
HTTP header (Hawk.utils.parseHost()
), which was subject to regular expression DoS attack - meaning each added character in the attacker's input increases the computation time exponentially.parseHost()
was patched in9.0.1
to use built-inURL
class to parse hostname instead.Hawk.authenticate()
acceptsoptions
argument. If that containshost
andport
, those would be used instead of a call toutils.parseHost()
.Publish Date: 2022-05-05
URL: CVE-2022-29167
CVSS 3 Score Details (7.4)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-44pw-h2cw-w3vq
Release Date: 2022-05-05
Fix Resolution: hawk - 9.0.1
The text was updated successfully, but these errors were encountered: