CVE-2022-29167 (High) detected in hawk-3.1.3.tgz, hawk-6.0.2.tgz

## CVE-2022-29167 - High Severity Vulnerability
<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/vulnerability_details.png' width=19 height=20> Vulnerable Libraries - hawk-3.1.3.tgz, hawk-6.0.2.tgz</summary>


<details><summary>hawk-3.1.3.tgz</summary>

HTTP Hawk Authentication Scheme
Library home page: <a href="https://registry.npmjs.org/hawk/-/hawk-3.1.3.tgz">https://registry.npmjs.org/hawk/-/hawk-3.1.3.tgz</a>
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/grpc/node_modules/hawk/package.json


Dependency Hierarchy:
 - speech-1.1.0.tgz (Root Library)
 - google-gax-0.14.5.tgz
 - grpc-1.7.3.tgz
 - node-pre-gyp-0.6.39.tgz
 - :x: **hawk-3.1.3.tgz** (Vulnerable Library)
</details>
<details><summary>hawk-6.0.2.tgz</summary>

HTTP Hawk Authentication Scheme
Library home page: <a href="https://registry.npmjs.org/hawk/-/hawk-6.0.2.tgz">https://registry.npmjs.org/hawk/-/hawk-6.0.2.tgz</a>
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/hawk/package.json


Dependency Hierarchy:
 - storage-1.6.0.tgz (Root Library)
 - request-2.83.0.tgz
 - :x: **hawk-6.0.2.tgz** (Vulnerable Library)
</details>


</details>

<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/high_vul.png' width=19 height=20> Vulnerability Details</summary>
 
 
Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse `Host` HTTP header (`Hawk.utils.parseHost()`), which was subject to regular expression DoS attack - meaning each added character in the attacker's input increases the computation time exponentially. `parseHost()` was patched in `9.0.1` to use built-in `URL` class to parse hostname instead. `Hawk.authenticate()` accepts `options` argument. If that contains `host` and `port`, those would be used instead of a call to `utils.parseHost()`.

Publish Date: 2022-05-05
URL: <a href=https://www.mend.io/vulnerability-database/CVE-2022-29167>CVE-2022-29167</a>

</details>

<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/cvss3.png' width=19 height=20> CVSS 3 Score Details (7.5)</summary>


Base Score Metrics:
- Exploitability Metrics:
 - Attack Vector: Network
 - Attack Complexity: Low
 - Privileges Required: None
 - User Interaction: None
 - Scope: Unchanged
- Impact Metrics:
 - Confidentiality Impact: None
 - Integrity Impact: None
 - Availability Impact: High

For more information on CVSS3 Scores, click <a href="https://www.first.org/cvss/calculator/3.0">here</a>.

</details>

<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/suggested_fix.png' width=19 height=20> Suggested Fix</summary>


Type: Upgrade version
Origin: <a href="https://github.com/mozilla/hawk/security/advisories/GHSA-44pw-h2cw-w3vq">https://github.com/mozilla/hawk/security/advisories/GHSA-44pw-h2cw-w3vq</a>
Release Date: 2022-05-05
Fix Resolution: hawk - 9.0.1


</details>


***
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2022-29167 (High) detected in hawk-3.1.3.tgz, hawk-6.0.2.tgz #157

CVE-2022-29167 - High Severity Vulnerability

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

CVE-2022-29167 (High) detected in hawk-3.1.3.tgz, hawk-6.0.2.tgz #157

Description

CVE-2022-29167 - High Severity Vulnerability

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions