CVE-2023-28628

`authority-regex` returns the wrong authority in lambdaisland/uri

Severity Score

6.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

lambdaisland/uri is a pure Clojure/ClojureScript URI library. In versions prior to 1.14.120 `authority-regex` allows an attacker to send malicious URLs to be parsed by the `lambdaisland/uri` and return the wrong authority. This issue is similar to but distinct from CVE-2020-8910. The regex in question doesn't handle the backslash (`\`) character in the username correctly, leading to a wrong output. ex. a payload of `https://example.com\\@google.com` would return that the host is `google.com`, but the correct host should be `example.com`. Given that the library returns the wrong authority this may be abused to bypass host restrictions depending on how the library is used in an application. Users are advised to upgrade. There are no known workarounds for this vulnerability.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-03-20 CVE Reserved
2023-03-27 CVE Published
2024-08-02 CVE Updated
2024-08-02 First Exploit
2024-10-17 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
CWE-706: Use of Incorrectly-Resolved Name or Reference

CAPEC

References (2)

URL	Tag	Source

URL	Date	SRC
https://github.com/lambdaisland/uri/security/advisories/GHSA-cp4w-6x4w-v2h5	2024-08-02

URL	Date	SRC
https://github.com/lambdaisland/uri/commit/f46db3e84846f79e14bfee0101d9c7a872321820	2023-04-04

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Lambdaisland Search vendor "Lambdaisland"		Uri Search vendor "Lambdaisland" for product "Uri"				< 1.14.120 Search vendor "Lambdaisland" for product "Uri" and version " < 1.14.120"		-		Affected