Resource Exhaustion Affecting mozjs60 package, versions *


Severity

Recommended
medium

Based on CentOS security rating.

Threat Intelligence

EPSS
0.08% (38th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Resource Exhaustion vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-CENTOS8-MOZJS60-2809129
  • published6 May 2022
  • disclosed6 May 2022

Introduced: 6 May 2022

CVE-2022-29167  (opens in a new tab)
CWE-400  (opens in a new tab)
CWE-770  (opens in a new tab)

How to fix?

There is no fixed version for Centos:8 mozjs60.

NVD Description

Note: Versions mentioned in the description apply only to the upstream mozjs60 package and not the mozjs60 package as distributed by Centos. See How to fix? for Centos:8 relevant fixed versions and status.

Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse Host HTTP header (Hawk.utils.parseHost()), which was subject to regular expression DoS attack - meaning each added character in the attacker's input increases the computation time exponentially. parseHost() was patched in 9.0.1 to use built-in URL class to parse hostname instead. Hawk.authenticate() accepts options argument. If that contains host and port, those would be used instead of a call to utils.parseHost().

CVSS Scores

version 3.1