漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
ReDoS vulnerability in header parsing in hawk
Vulnerability Description
Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse `Host` HTTP header (`Hawk.utils.parseHost()`), which was subject to regular expression DoS attack - meaning each added character in the attacker's input increases the computation time exponentially. `parseHost()` was patched in `9.0.1` to use built-in `URL` class to parse hostname instead. `Hawk.authenticate()` accepts `options` argument. If that contains `host` and `port`, those would be used instead of a call to `utils.parseHost()`.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H
Vulnerability Type
未加控制的资源消耗(资源穷尽)
Vulnerability Title
hawk 资源管理错误漏洞
Vulnerability Description
hawk是Mozilla基金会的一个 HTTP 密钥持有者身份验证方案。 hawk 9.0.1版本之前存在安全漏洞,该漏洞源于hawk使用正则表达式解析 HTTP 标头,攻击者利用该漏洞可导致正则表达式所引发的Dos攻击(ReDoS)。
CVSS Information
N/A
Vulnerability Type
N/A