CVE-2023-28628 - Vulnerability Details - OpenCVE

lambdaisland/uri is a pure Clojure/ClojureScript URI library. In versions prior to 1.14.120 `authority-regex` allows an attacker to send malicious URLs to be parsed by the `lambdaisland/uri` and return the wrong authority. This issue is similar to but distinct from CVE-2020-8910. The regex in question doesn't handle the backslash (`\`) character in the username correctly, leading to a wrong output. ex. a payload of `https://example.com\\@google.com` would return that the host is `google.com`, but the correct host should be `example.com`. Given that the library returns the wrong authority this may be abused to bypass host restrictions depending on how the library is used in an application. Users are advised to upgrade. There are no known workarounds for this vulnerability.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Lambdaisland	Uri

Configuration 1 [-]

cpe:2.3:a:lambdaisland:uri:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/lambdaisland/uri/commit/f46db3e84846f79e14bfee0101d9c7a872321820
https://github.com/lambdaisland/uri/security/advisories/GHSA-cp4w-6x4w-v2h5

History

Wed, 19 Feb 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-03-27T20:20:08.358Z

Updated: 2025-02-19T15:21:18.308Z

Reserved: 2023-03-20T12:19:47.207Z

Link: CVE-2023-28628

Vulnrichment

Updated: 2024-08-02T13:43:23.634Z

NVD

Status : Modified

Published: 2023-03-27T21:15:12.367

Modified: 2024-11-21T07:55:41.793

Link: CVE-2023-28628

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-28628", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-03-20T12:19:47.207Z", "datePublished": "2023-03-27T20:20:08.358Z", "dateUpdated": "2025-02-19T15:21:18.308Z"}, "containers": {"cna": {"title": "`authority-regex` returns the wrong authority in lambdaisland/uri", "problemTypes": [{"descriptions": [{"cweId": "CWE-706", "lang": "en", "description": "CWE-706: Use of Incorrectly-Resolved Name or Reference", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/lambdaisland/uri/security/advisories/GHSA-cp4w-6x4w-v2h5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/lambdaisland/uri/security/advisories/GHSA-cp4w-6x4w-v2h5"}, {"name": "https://github.com/lambdaisland/uri/commit/f46db3e84846f79e14bfee0101d9c7a872321820", "tags": ["x_refsource_MISC"], "url": "https://github.com/lambdaisland/uri/commit/f46db3e84846f79e14bfee0101d9c7a872321820"}], "affected": [{"vendor": "lambdaisland", "product": "uri", "versions": [{"version": "< 1.14.120", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-03-27T20:20:08.358Z"}, "descriptions": [{"lang": "en", "value": "lambdaisland/uri is a pure Clojure/ClojureScript URI library. In versions prior to 1.14.120 `authority-regex` allows an attacker to send malicious URLs to be parsed by the `lambdaisland/uri` and return the wrong authority. This issue is similar to but distinct from CVE-2020-8910. The regex in question doesn't handle the backslash (`\\`) character in the username correctly, leading to a wrong output. ex. a payload of `https://example.com\\\\@google.com` would return that the host is `google.com`, but the correct host should be `example.com`. Given that the library returns the wrong authority this may be abused to bypass host restrictions depending on how the library is used in an application. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "source": {"advisory": "GHSA-cp4w-6x4w-v2h5", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T13:43:23.634Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/lambdaisland/uri/security/advisories/GHSA-cp4w-6x4w-v2h5", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/lambdaisland/uri/security/advisories/GHSA-cp4w-6x4w-v2h5"}, {"name": "https://github.com/lambdaisland/uri/commit/f46db3e84846f79e14bfee0101d9c7a872321820", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/lambdaisland/uri/commit/f46db3e84846f79e14bfee0101d9c7a872321820"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-19T15:20:56.651241Z", "id": "CVE-2023-28628", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-19T15:21:18.308Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/lambdaisland/uri/security/advisories/GHSA-cp4w-6x4w-v2h5", "name": "https://github.com/lambdaisland/uri/security/advisories/GHSA-cp4w-6x4w-v2h5", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/lambdaisland/uri/commit/f46db3e84846f79e14bfee0101d9c7a872321820", "name": "https://github.com/lambdaisland/uri/commit/f46db3e84846f79e14bfee0101d9c7a872321820", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T13:43:23.634Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-28628", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-19T15:20:56.651241Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-19T15:21:04.964Z"}}], "cna": {"title": "`authority-regex` returns the wrong authority in lambdaisland/uri", "source": {"advisory": "GHSA-cp4w-6x4w-v2h5", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "lambdaisland", "product": "uri", "versions": [{"status": "affected", "version": "< 1.14.120"}]}], "references": [{"url": "https://github.com/lambdaisland/uri/security/advisories/GHSA-cp4w-6x4w-v2h5", "name": "https://github.com/lambdaisland/uri/security/advisories/GHSA-cp4w-6x4w-v2h5", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/lambdaisland/uri/commit/f46db3e84846f79e14bfee0101d9c7a872321820", "name": "https://github.com/lambdaisland/uri/commit/f46db3e84846f79e14bfee0101d9c7a872321820", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "lambdaisland/uri is a pure Clojure/ClojureScript URI library. In versions prior to 1.14.120 `authority-regex` allows an attacker to send malicious URLs to be parsed by the `lambdaisland/uri` and return the wrong authority. This issue is similar to but distinct from CVE-2020-8910. The regex in question doesn't handle the backslash (`\\`) character in the username correctly, leading to a wrong output. ex. a payload of `https://example.com\\\\@google.com` would return that the host is `google.com`, but the correct host should be `example.com`. Given that the library returns the wrong authority this may be abused to bypass host restrictions depending on how the library is used in an application. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-706", "description": "CWE-706: Use of Incorrectly-Resolved Name or Reference"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-03-27T20:20:08.358Z"}}}, "cveMetadata": {"cveId": "CVE-2023-28628", "state": "PUBLISHED", "dateUpdated": "2025-02-19T15:21:18.308Z", "dateReserved": "2023-03-20T12:19:47.207Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-03-27T20:20:08.358Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lambdaisland:uri:*:*:*:*:*:*:*:*", "matchCriteriaId": "FB4E4DCA-E6F9-4482-AB74-DFB3AC4A09D7", "versionEndExcluding": "1.14.120", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "lambdaisland/uri is a pure Clojure/ClojureScript URI library. In versions prior to 1.14.120 `authority-regex` allows an attacker to send malicious URLs to be parsed by the `lambdaisland/uri` and return the wrong authority. This issue is similar to but distinct from CVE-2020-8910. The regex in question doesn't handle the backslash (`\\`) character in the username correctly, leading to a wrong output. ex. a payload of `https://example.com\\\\@google.com` would return that the host is `google.com`, but the correct host should be `example.com`. Given that the library returns the wrong authority this may be abused to bypass host restrictions depending on how the library is used in an application. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "id": "CVE-2023-28628", "lastModified": "2024-11-21T07:55:41.793", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-03-27T21:15:12.367", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/lambdaisland/uri/commit/f46db3e84846f79e14bfee0101d9c7a872321820"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/lambdaisland/uri/security/advisories/GHSA-cp4w-6x4w-v2h5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/lambdaisland/uri/commit/f46db3e84846f79e14bfee0101d9c7a872321820"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/lambdaisland/uri/security/advisories/GHSA-cp4w-6x4w-v2h5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-706"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-601"}], "source": "nvd@nist.gov", "type": "Primary"}]}