Home > Vulnerability Database > CVE-2023-28628

Mend.io Vulnerability Database

CVE-2023-28628

Good to know:

Date: March 27, 2023

lambdaisland/uri is a pure Clojure/ClojureScript URI library. In versions prior to 1.14.120 `authority-regex` allows an attacker to send malicious URLs to be parsed by the `lambdaisland/uri` and return the wrong authority. This issue is similar to but distinct from CVE-2020-8910. The regex in question doesn't handle the backslash (`\`) character in the username correctly, leading to a wrong output. ex. a payload of `https://example.com\\@google.com` would return that the host is `google.com`, but the correct host should be `example.com`. Given that the library returns the wrong authority this may be abused to bypass host restrictions depending on how the library is used in an application. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Language: Clojure

Severity Score

6.1

Related Resources (4)

Url: https://github.com/lambdaisland/uri/security/advisories/GHSA-cp4w-6x4w-v2h5

Url: https://github.com/lambdaisland/uri/commit/f46db3e84846f79e14bfee0101d9c7a872321820

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-28628

Url: https://www.mend.io/vulnerability-database/CVE-2023-28628

Severity Score

6.1

Weakness Type (CWE)

URL Redirection to Untrusted Site ('Open Redirect')

CWE-601

Use of Incorrectly-Resolved Name or Reference

CWE-706

Top Fix

Upgrade Version

Upgrade to version lambdaisland:uri:1.14.120

Learn More

CVSS v3.1

Base Score:	6.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-28628

Good to know:

Date: March 27, 2023

Language: Clojure

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?