CVE-2016-2515 — Regex Denial of Service in Hawk

CWE-399 CWE-1333 — Regex Denial of Service8 documents6 sources

Severity

7.5HIGHNVD

EPSS

5.3%

top 9.95%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tibco Hawk Hawk Project Hawk

Timeline

PublishedApr 13

Latest updateJul 31

Description

Hawk before 3.1.3 and 4.x before 4.1.1 allow remote attackers to cause a denial of service (CPU consumption or partial outage) via a long (1) header or (2) URI that is matched against an improper regular expression.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶npmtibco/hawk4.0.0 — 4.1.1+1

▶NVDhawk_project/hawk3.1.2, 4.1.0+1

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Regular Expression Denial of Service in hawk↗2018-07-31

▶

GHSA

Regular Expression Denial of Service in hawk↗2018-07-31

▶

CVEList

CVE-2016-2515: Hawk before 3↗2016-04-13

▶

📋Vendor Advisories

Red Hat

nodejs-hawk: Long headers or URIs can cause minor DoS↗2016-01-19

▶

💬Community

Bugzilla

CVE-2016-2515 nodejs-hawk: Long headers or URIs can cause minor DoS↗2016-02-18

▶

Bugzilla

CVE-2016-2515 nodejs-hawk: Long headers or URIs can cause minor DoS [fedora-all]↗2016-02-18

▶

Bugzilla

CVE-2016-2515 nodejs-hawk: Long headers or URIs can cause minor DoS [epel-all]↗2016-02-18

▶