{"containers": {"cna": {"affected": [{"product": "hawk", "vendor": "mozilla", "versions": [{"status": "affected", "version": "< 9.0.1"}]}], "descriptions": [{"lang": "en", "value": "Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse `Host` HTTP header (`Hawk.utils.parseHost()`), which was subject to regular expression DoS attack - meaning each added character in the attacker's input increases the computation time exponentially. `parseHost()` was patched in `9.0.1` to use built-in `URL` class to parse hostname instead. `Hawk.authenticate()` accepts `options` argument. If that contains `host` and `port`, those would be used instead of a call to `utils.parseHost()`."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-05-05T22:55:10.000Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/mozilla/hawk/security/advisories/GHSA-44pw-h2cw-w3vq"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/mozilla/hawk/pull/286"}], "source": {"advisory": "GHSA-44pw-h2cw-w3vq", "discovery": "UNKNOWN"}, "title": "ReDoS vulnerability in header parsing in hawk", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-29167", "STATE": "PUBLIC", "TITLE": "ReDoS vulnerability in header parsing in hawk"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "hawk", "version": {"version_data": [{"version_value": "< 9.0.1"}]}}]}, "vendor_name": "mozilla"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse `Host` HTTP header (`Hawk.utils.parseHost()`), which was subject to regular expression DoS attack - meaning each added character in the attacker's input increases the computation time exponentially. `parseHost()` was patched in `9.0.1` to use built-in `URL` class to parse hostname instead. `Hawk.authenticate()` accepts `options` argument. If that contains `host` and `port`, those would be used instead of a call to `utils.parseHost()`."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-400: Uncontrolled Resource Consumption"}]}]}, "references": {"reference_data": [{"name": "https://github.com/mozilla/hawk/security/advisories/GHSA-44pw-h2cw-w3vq", "refsource": "CONFIRM", "url": "https://github.com/mozilla/hawk/security/advisories/GHSA-44pw-h2cw-w3vq"}, {"name": "https://github.com/mozilla/hawk/pull/286", "refsource": "MISC", "url": "https://github.com/mozilla/hawk/pull/286"}]}, "source": {"advisory": "GHSA-44pw-h2cw-w3vq", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T06:17:54.086Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/mozilla/hawk/security/advisories/GHSA-44pw-h2cw-w3vq"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/mozilla/hawk/pull/286"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-23T14:07:46.041057Z", "id": "CVE-2022-29167", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T18:30:44.456Z"}}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-29167", "datePublished": "2022-05-05T22:55:10.000Z", "dateReserved": "2022-04-13T00:00:00.000Z", "dateUpdated": "2025-04-23T18:30:44.456Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/mozilla/hawk/security/advisories/GHSA-44pw-h2cw-w3vq", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/mozilla/hawk/pull/286", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T06:17:54.086Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-29167", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-23T14:07:46.041057Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T14:07:47.373Z"}}], "cna": {"title": "ReDoS vulnerability in header parsing in hawk", "source": {"advisory": "GHSA-44pw-h2cw-w3vq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "mozilla", "product": "hawk", "versions": [{"status": "affected", "version": "< 9.0.1"}]}], "references": [{"url": "https://github.com/mozilla/hawk/security/advisories/GHSA-44pw-h2cw-w3vq", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/mozilla/hawk/pull/286", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse `Host` HTTP header (`Hawk.utils.parseHost()`), which was subject to regular expression DoS attack - meaning each added character in the attacker's input increases the computation time exponentially. `parseHost()` was patched in `9.0.1` to use built-in `URL` class to parse hostname instead. `Hawk.authenticate()` accepts `options` argument. If that contains `host` and `port`, those would be used instead of a call to `utils.parseHost()`."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-05-05T22:55:10.000Z"}, "x_legacyV4Record": {"impact": {"cvss": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, "source": {"advisory": "GHSA-44pw-h2cw-w3vq", "discovery": "UNKNOWN"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "< 9.0.1"}]}, "product_name": "hawk"}]}, "vendor_name": "mozilla"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/mozilla/hawk/security/advisories/GHSA-44pw-h2cw-w3vq", "name": "https://github.com/mozilla/hawk/security/advisories/GHSA-44pw-h2cw-w3vq", "refsource": "CONFIRM"}, {"url": "https://github.com/mozilla/hawk/pull/286", "name": "https://github.com/mozilla/hawk/pull/286", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse `Host` HTTP header (`Hawk.utils.parseHost()`), which was subject to regular expression DoS attack - meaning each added character in the attacker's input increases the computation time exponentially. `parseHost()` was patched in `9.0.1` to use built-in `URL` class to parse hostname instead. `Hawk.authenticate()` accepts `options` argument. If that contains `host` and `port`, those would be used instead of a call to `utils.parseHost()`."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-400: Uncontrolled Resource Consumption"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-29167", "STATE": "PUBLIC", "TITLE": "ReDoS vulnerability in header parsing in hawk", "ASSIGNER": "security-advisories@github.com"}}}}, "cveMetadata": {"cveId": "CVE-2022-29167", "state": "PUBLISHED", "dateUpdated": "2025-04-23T18:30:44.456Z", "dateReserved": "2022-04-13T00:00:00.000Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2022-05-05T22:55:10.000Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:hawk:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "52944D80-ECF3-4739-B338-91E50E563870", "versionEndExcluding": "9.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse `Host` HTTP header (`Hawk.utils.parseHost()`), which was subject to regular expression DoS attack - meaning each added character in the attacker's input increases the computation time exponentially. `parseHost()` was patched in `9.0.1` to use built-in `URL` class to parse hostname instead. `Hawk.authenticate()` accepts `options` argument. If that contains `host` and `port`, those would be used instead of a call to `utils.parseHost()`."}, {"lang": "es", "value": "Hawk es un esquema de autenticaci\u00f3n HTTP que proporciona mecanismos para realizar peticiones HTTP autenticadas con verificaci\u00f3n criptogr\u00e1fica parcial de la petici\u00f3n y la respuesta, cubriendo el m\u00e9todo HTTP, el URI de la petici\u00f3n, el host y, opcionalmente, la carga \u00fatil de la petici\u00f3n. Hawk usaba una expresi\u00f3n regular para analizar el encabezado HTTP \"Host\" (\"Hawk.utils.parseHost()\"), que estaba sujeta a un ataque DoS de expresi\u00f3n regular - lo que significa que cada car\u00e1cter a\u00f1adido en la entrada del atacante aumenta el tiempo de c\u00e1lculo exponencialmente. ParseHost()\" ha sido corregido en versi\u00f3n \"9.0.1\" para usar la clase \"URL' incorporada para analizar el nombre de host. Hawk.authenticate()\" acepta el argumento \"options\". Si \u00e9ste contiene \"host\" y \"port\", ser\u00e1n usadas en lugar de una llamada a \"utils.parseHost()\""}], "id": "CVE-2022-29167", "lastModified": "2024-11-21T06:58:37.553", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-05-05T23:15:09.083", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/mozilla/hawk/pull/286"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/mozilla/hawk/security/advisories/GHSA-44pw-h2cw-w3vq"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/mozilla/hawk/pull/286"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/mozilla/hawk/security/advisories/GHSA-44pw-h2cw-w3vq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-1333"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "hawk: REDoS in hawk.utils.parseHost() when parsing Host header", "id": "2082387", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2082387"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-400->CWE-770", "details": ["Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse `Host` HTTP header (`Hawk.utils.parseHost()`), which was subject to regular expression DoS attack - meaning each added character in the attacker's input increases the computation time exponentially. `parseHost()` was patched in `9.0.1` to use built-in `URL` class to parse hostname instead. `Hawk.authenticate()` accepts `options` argument. If that contains `host` and `port`, those would be used instead of a call to `utils.parseHost()`.", "A regular expression denial of service (ReDoS) was found in Hawk in its header parsing functionality. The issue arises from inadequate input validation in the Hawk.utils.parseHost() function when processing untrusted input with regular expressions. This flaw allows an attacker to send a specially crafted HTTP header to initiate a ReDoS attack."], "name": "CVE-2022-29167", "package_state": [{"cpe": "cpe:/a:redhat:rhel_dotnet:3.1", "fix_state": "Not affected", "package_name": "rh-dotnet31-dotnet", "product_name": ".NET Core 3.1 on Red Hat Enterprise Linux"}, {"cpe": "cpe:/a:redhat:rhel_dotnet:5.0", "fix_state": "Out of support scope", "package_name": "rh-dotnet50-dotnet", "product_name": ".NET Core 5.0 on Red Hat Enterprise Linux"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "dotnet3.1", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "dotnet5.0", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "firefox:flatpak/firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "mozjs60", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "thunderbird:flatpak/thunderbird", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "firefox:flatpak/firefox", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "gjs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "polkit", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "thunderbird:flatpak/thunderbird", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "package_name": "hawk", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Out of support scope", "package_name": "hawk", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Will not fix", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}], "public_date": "2022-05-06T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-29167\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-29167\nhttps://github.com/mozilla/hawk/security/advisories/GHSA-44pw-h2cw-w3vq"], "statement": "This flaw is out of support scope and will not be addressed for the dotnet-5.0 product. Please see https://access.redhat.com/support/policy/updates/net-core for more information about dotnet support scope.", "threat_severity": "Moderate"}