CVE-2022-29167

2022-05-0500:00:00

ubuntu.com

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

35.7%

JSON

Hawk is an HTTP authentication scheme providing mechanisms for making
authenticated HTTP requests with partial cryptographic verification of the
request and response, covering the HTTP method, request URI, host, and
optionally the request payload. Hawk used a regular expression to parse
Host HTTP header (Hawk.utils.parseHost()), which was subject to regular
expression DoS attack - meaning each added character in the attacker’s
input increases the computation time exponentially. parseHost() was
patched in 9.0.1 to use built-in URL class to parse hostname instead.
Hawk.authenticate() accepts options argument. If that contains host
and port, those would be used instead of a call to utils.parseHost().

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchnode-hawk< 6.0.1+dfsg-1+deb10u1build0.18.04.1UNKNOWN
ubuntu20.04noarchnode-hawk< 7.1.2+dfsg-1ubuntu0.1UNKNOWN
ubuntu22.04noarchnode-hawk< 8.0.1+dfsg-1ubuntu0.22.04.1UNKNOWN
ubuntu22.10noarchnode-hawk< 8.0.1+dfsg-1ubuntu0.22.10.1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	node-hawk	< 6.0.1+dfsg-1+deb10u1build0.18.04.1	UNKNOWN
ubuntu	20.04	noarch	node-hawk	< 7.1.2+dfsg-1ubuntu0.1	UNKNOWN
ubuntu	22.04	noarch	node-hawk	< 8.0.1+dfsg-1ubuntu0.22.04.1	UNKNOWN
ubuntu	22.10	noarch	node-hawk	< 8.0.1+dfsg-1ubuntu0.22.10.1	UNKNOWN