CVE-2023-28628
lambdaisland/uri `authority-regex` returns the wrong authority
Description
### Summary `authority-regex` allows an attacker to send malicious URLs to be parsed by the `lambdaisland/uri` and return the wrong authority. This issue is similar to CVE-2020-8910. ### Details https://github.com/lambdaisland/uri/blob/d3355fcd3e235238f4dcd37be97787a84e580072/src/lambdaisland/uri.cljc#L9 This regex doesn't handle the backslash (`\`) character in the username correctly, leading to a wrong output. **Payload:** `https://example.com\\@google.com` The returned host is `google.com`, but the correct host should be `example.com`. `urllib3` (Python) and `google-closure-library` (Javascript) return `example.com` as the host. Here the correct (or current) regex used by `google-closure-library`: https://github.com/google/closure-library/blob/0e567abedb058e9b194a40cfa3ad4c507653bccf/closure/goog/uri/utils.js#L189 ### PoC ``` (ns poc.core) (require '[lambdaisland.uri :refer (uri)]) (def myurl "https://example.com\\@google.com") (defn -main [] (println myurl) (println (:host (uri myurl))) ) ``` ### Impact The library returns the wrong authority, and it can be abused to bypass host restrictions. ### Reference WHATWG Living URL spec, section 4.4 URL Parsing, host state: https://url.spec.whatwg.org/#url-parsing
How to fix CVE-2023-28628
To remediate CVE-2023-28628, upgrade the affected package to a fixed version below.
- —no fix listed
- —upgrade to 1.14.120 or later
Is CVE-2023-28628 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0