CVE-2022-29167Uncontrolled Resource Consumption in Mozilla Hawk

CWE-400Uncontrolled Resource ConsumptionCWE-1333Regex Denial of ServiceCWE-770Allocation of Resources Without Limits or Throttling9 documents8 sources
Severity
7.5HIGHNVD
CNA7.4
EPSS
0.2%
top 64.10%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mozilla HawkTibco Hawk
Timeline
PublishedMay 5
Latest updateMay 30

Description

Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse `Host` HTTP header (`Hawk.utils.parseHost()`), which was subject to regular expression DoS attack - meaning each added character in the attacker's input increases the computation time exponentially. `parseHost()`

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

npmtibco/hawk< 9.0.1
CVEListV5mozilla/hawk< 9.0.1
NVDmozilla/hawk< 9.0.1

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

4
GHSA
Uncontrolled Resource Consumption in Hawk2022-05-23
OSV
Uncontrolled Resource Consumption in Hawk2022-05-23
OSV
CVE-2022-29167: Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the reque2022-05-05
CVEList
ReDoS vulnerability in header parsing in hawk2022-05-05

📋Vendor Advisories

3
Ubuntu
hawk vulnerability2023-05-30
Red Hat
hawk: REDoS in hawk.utils.parseHost() when parsing Host header2022-05-06
Debian
CVE-2022-29167: node-hawk - Hawk is an HTTP authentication scheme providing mechanisms for making authentica...2022

💬Community

1
Bugzilla
ReDoS vulnerability in hawk (npm package)2022-05-02
CVE-2022-29167 — Uncontrolled Resource Consumption | cvebase