Bug 2082387 (CVE-2022-29167)
| Summary: | CVE-2022-29167 hawk: REDoS in hawk.utils.parseHost() when parsing Host header | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Todd Cullum <tcullum> |
| Component: | vulnerability | Assignee: | Nobody <nobody> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aileenc, andrew.slice, bdettelb, bodavis, caillon+fedoraproject, chazlett, crummel, dbhole, dmitry, dotnet-packagers, epel-packagers-sig, erack, extras-orphan, fmuellner, francisco.vergarat, fzatlouk, gecko-bugs-nobody, ggaughan, gmalinko, harold, janstey, jhorak, jochrist, jwon, kai-engert-fedora, klaas, klember, lemenkov, lvaleeva, ngompa13, omajid, pdelbell, pjasicek, pjindal, rhughes, rstrode, rwagner, sandmann, stransky, tpopela, trpost |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | hawk 9.0.1 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A regular expression denial of service (ReDoS) was found in Hawk in its header parsing functionality. The issue arises from inadequate input validation in the Hawk.utils.parseHost() function when processing untrusted input with regular expressions. This flaw allows an attacker to send a specially crafted HTTP header to initiate a ReDoS attack.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2082456, 2082457, 2082458, 2082459, 2082460, 2082461, 2082462, 2082463, 2082464, 2082465, 2082466, 2108426, 2108427, 2108428, 2108429, 2108430, 2108431, 2108432, 2108433, 2108434, 2108435, 2108436, 2108437, 2108438, 2109683 | ||
| Bug Blocks: | 2082386 | ||
|
Description
Todd Cullum
2022-05-06 01:33:56 UTC
Created couchdb tracking bugs for this issue: Affects: fedora-all [bug 2082457] Created dotnet3.1 tracking bugs for this issue: Affects: fedora-all [bug 2082458] Created firefox tracking bugs for this issue: Affects: fedora-all [bug 2082459] Created icecat tracking bugs for this issue: Affects: fedora-all [bug 2082460] Created mozjs68 tracking bugs for this issue: Affects: fedora-all [bug 2082461] Created mozjs78 tracking bugs for this issue: Affects: fedora-all [bug 2082462] Created mozjs91 tracking bugs for this issue: Affects: fedora-all [bug 2082466] Created seamonkey tracking bugs for this issue: Affects: epel-8 [bug 2082456] Affects: fedora-all [bug 2082463] Created thunderbird tracking bugs for this issue: Affects: fedora-all [bug 2082464] Created yarnpkg tracking bugs for this issue: Affects: fedora-all [bug 2082465] Looking at the header of https://hg.mozilla.org/releases/mozilla-release/file/tip/services/common/hawkclient.js, it seems some another hawk implementation, just mentioning an ancient "https://github.com/hueniverse/hawk" link, and does not have any regexp code for the host parsing. IOW, it seems that even the current upstream Firefox still uses its own hawk implementation, which yet not affected by the issue, since does not use any regexp for host parsing yet. |