ID de Prueba:	1.3.6.1.4.1.25623.1.1.10.2024.0086
Categoría:	Mageia Linux Local Security Checks
Título:	Mageia: Security Advisory (MGASA-2024-0086)
Resumen:	The remote host is missing an update for the 'nodejs-hawk' package(s) announced via the MGASA-2024-0086 advisory.
Descripción:	Summary: The remote host is missing an update for the 'nodejs-hawk' package(s) announced via the MGASA-2024-0086 advisory. Vulnerability Insight: Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse `Host` HTTP header (`Hawk.utils.parseHost()`), which was subject to regular expression DoS attack - meaning each added character in the attacker's input increases the computation time exponentially. `parseHost()` was patched in `9.0.1` to use built-in `URL` class to parse hostname instead. `Hawk.authenticate()` accepts `options` argument. If that contains `host` and `port`, those would be used instead of a call to `utils.parseHost()`. (CVE-2022-29167) Affected Software/OS: 'nodejs-hawk' package(s) on Mageia 9. Solution: Please install the updated package(s). CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2022-29167 https://github.com/mozilla/hawk/security/advisories/GHSA-44pw-h2cw-w3vq https://github.com/mozilla/hawk/pull/286
Copyright	Copyright (C) 2024 Greenbone AG

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa. Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.