CVE-2016-2515 High Severity Vulnerability detected by WhiteSource

[mend-bolt-for-github]

CVE-2016-2515 - High Severity Vulnerability

Vulnerable Library - hawk-3.1.3.tgz

HTTP Hawk Authentication Scheme

path: null

Library home page: http://registry.npmjs.org/hawk/-/hawk-3.1.3.tgz

Dependency Hierarchy:

• datastore-1.3.4.tgz (Root Library)
  • google-gax-0.14.5.tgz
    • grpc-1.7.3.tgz
      • node-pre-gyp-0.6.39.tgz
        • ❌ hawk-3.1.3.tgz (Vulnerable Library)

Vulnerability Details

Hawk before 3.1.3 and 4.x before 4.1.1 allow remote attackers to cause a denial of service (CPU consumption or partial outage) via a long (1) header or (2) URI that is matched against an improper regular expression.

Publish Date: 2016-04-13

URL: CVE-2016-2515

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/77

Release Date: 2016-01-19

Fix Resolution: Update to hawk version 4.1.1 or greater.

---

Step up your Open Source Security Game with WhiteSource here