You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse Host HTTP header (Hawk.utils.parseHost()), which was subject to regular expression DoS attack - meaning each added character in the attacker's input increases the computation time exponentially. parseHost() was patched in 9.0.1 to use built-in URL class to parse hostname instead. Hawk.authenticate() accepts options argument. If that contains host and port, those would be used instead of a call to utils.parseHost().
CVE-2022-29167 - High Severity Vulnerability
HTTP Hawk Authentication Scheme
Library home page: https://registry.npmjs.org/hawk/-/hawk-3.1.3.tgz
Dependency Hierarchy:
Found in HEAD commit: e09ef1e3a45be925a41a2e1aa6a0bcbc6b3c41ea
Found in base branch: master
Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse
Host
HTTP header (Hawk.utils.parseHost()
), which was subject to regular expression DoS attack - meaning each added character in the attacker's input increases the computation time exponentially.parseHost()
was patched in9.0.1
to use built-inURL
class to parse hostname instead.Hawk.authenticate()
acceptsoptions
argument. If that containshost
andport
, those would be used instead of a call toutils.parseHost()
.Publish Date: 2022-05-05
URL: CVE-2022-29167
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-44pw-h2cw-w3vq
Release Date: 2022-05-05
Fix Resolution (hawk): 9.0.1
Direct dependency fix Resolution (@angular/compiler-cli): 5.2.10
The text was updated successfully, but these errors were encountered: