CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS
Percentile
37.0%
lambdaisland/uri is a pure Clojure/ClojureScript URI library. In versions
prior to 1.14.120 authority-regex
allows an attacker to send malicious
URLs to be parsed by the lambdaisland/uri
and return the wrong authority.
This issue is similar to but distinct from CVE-2020-8910. The regex in
question doesn’t handle the backslash (\
) character in the username
correctly, leading to a wrong output. ex. a payload of
https://example.com\\@google.com
would return that the host is
google.com
, but the correct host should be example.com
. Given that the
library returns the wrong authority this may be abused to bypass host
restrictions depending on how the library is used in an application. Users
are advised to upgrade. There are no known workarounds for this
vulnerability.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 22.04 | noarch | lambdaisland-uri-clojure | < any | UNKNOWN |
ubuntu | 24.04 | noarch | lambdaisland-uri-clojure | < any | UNKNOWN |
github.com/lambdaisland/uri/commit/f46db3e84846f79e14bfee0101d9c7a872321820
github.com/lambdaisland/uri/security/advisories/GHSA-cp4w-6x4w-v2h5
launchpad.net/bugs/cve/CVE-2023-28628
nvd.nist.gov/vuln/detail/CVE-2023-28628
security-tracker.debian.org/tracker/CVE-2023-28628
www.cve.org/CVERecord?id=CVE-2023-28628
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS
Percentile
37.0%