CVE-2023-28628 – lambdaisland:uri

Package

Manager: maven
Name: lambdaisland:uri
Vulnerable Version: >=0 <1.14.120

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00187 pctl0.40802

Details

lambdaisland/uri `authority-regex` returns the wrong authority ### Summary `authority-regex` allows an attacker to send malicious URLs to be parsed by the `lambdaisland/uri` and return the wrong authority. This issue is similar to CVE-2020-8910. ### Details https://github.com/lambdaisland/uri/blob/d3355fcd3e235238f4dcd37be97787a84e580072/src/lambdaisland/uri.cljc#L9 This regex doesn't handle the backslash (`\`) character in the username correctly, leading to a wrong output. **Payload:** `https://example.com\\@google.com` The returned host is `google.com`, but the correct host should be `example.com`. `urllib3` (Python) and `google-closure-library` (Javascript) return `example.com` as the host. Here the correct (or current) regex used by `google-closure-library`: https://github.com/google/closure-library/blob/0e567abedb058e9b194a40cfa3ad4c507653bccf/closure/goog/uri/utils.js#L189 ### PoC ``` (ns poc.core) (require '[lambdaisland.uri :refer (uri)]) (def myurl "https://example.com\\@google.com") (defn -main [] (println myurl) (println (:host (uri myurl))) ) ``` ### Impact The library returns the wrong authority, and it can be abused to bypass host restrictions. ### Reference WHATWG Living URL spec, section 4.4 URL Parsing, host state: https://url.spec.whatwg.org/#url-parsing

Metadata

Created: 2023-03-27T22:31:13Z
Modified: 2023-03-27T22:31:13Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-cp4w-6x4w-v2h5/GHSA-cp4w-6x4w-v2h5.json
CWE IDs: ["CWE-601", "CWE-706"]
Alternative ID: GHSA-cp4w-6x4w-v2h5
Finding: F100
Auto approve: 1