CVE-2023-28628

Published: Mar 27, 2023

Modified: Feb 19, 2025

PUBLISHED

CVSS v3.1

5.4

MEDIUM

Description

lambdaisland/uri is a pure Clojure/ClojureScript URI library. In versions prior to 1.14.120 `authority-regex` allows an attacker to send malicious URLs to be parsed by the `lambdaisland/uri` and return the wrong authority. This issue is similar to but distinct from CVE-2020-8910. The regex in question doesn't handle the backslash (`\`) character in the username correctly, leading to a wrong output. ex. a payload of `https://example.com\\@google.com` would return that the host is `google.com`, but the correct host should be `example.com`. Given that the library returns the wrong authority this may be abused to bypass host restrictions depending on how the library is used in an application. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Vendor	Product	Versions
lambdaisland	uri	affected `< 1.14.120`

Weaknesses (CWE)

CWE-706

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

References

https://github.com/lambdaisland/uri/security/advisories/GHSA-cp4w-6x4w-v2h5

x_refsource_CONFIRM

https://github.com/lambdaisland/uri/commit/f46db3e84846f79e14bfee0101d9c7a872321820

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2023-28628

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References