GHSA-cp4w-6x4w-v2h5
Suggest an improvement- Source
- https://github.com/advisories/GHSA-cp4w-6x4w-v2h5
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-cp4w-6x4w-v2h5/GHSA-cp4w-6x4w-v2h5.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-cp4w-6x4w-v2h5
- Aliases
- Published
- 2023-03-27T22:31:13Z
- Modified
- 2023-11-01T05:01:43.169124Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- lambdaisland/uri `authority-regex` returns the wrong authority
- Details
-
Summary
authority-regexallows an attacker to send malicious URLs to be parsed by thelambdaisland/uriand return the wrong authority. This issue is similar to CVE-2020-8910.Details
https://github.com/lambdaisland/uri/blob/d3355fcd3e235238f4dcd37be97787a84e580072/src/lambdaisland/uri.cljc#L9
This regex doesn't handle the backslash (
\) character in the username correctly, leading to a wrong output. Payload:https://example.com\\@google.comThe returned host isgoogle.com, but the correct host should beexample.com.urllib3(Python) andgoogle-closure-library(Javascript) returnexample.comas the host. Here the correct (or current) regex used bygoogle-closure-library:https://github.com/google/closure-library/blob/0e567abedb058e9b194a40cfa3ad4c507653bccf/closure/goog/uri/utils.js#L189
PoC
(ns poc.core) (require '[lambdaisland.uri :refer (uri)]) (def myurl "https://example.com\\@google.com") (defn -main [] (println myurl) (println (:host (uri myurl))) )Impact
The library returns the wrong authority, and it can be abused to bypass host restrictions.
Reference
WHATWG Living URL spec, section 4.4 URL Parsing, host state: https://url.spec.whatwg.org/#url-parsing
- Database specific
{ "nvd_published_at": "2023-03-27T21:15:00Z", "github_reviewed_at": "2023-03-27T22:31:13Z", "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-601", "CWE-706" ] }- References
-
- https://github.com/lambdaisland/uri/security/advisories/GHSA-cp4w-6x4w-v2h5
- https://nvd.nist.gov/vuln/detail/CVE-2023-28628
- https://github.com/lambdaisland/uri/commit/f46db3e84846f79e14bfee0101d9c7a872321820
- https://github.com/google/closure-library/blob/0e567abedb058e9b194a40cfa3ad4c507653bccf/closure/goog/uri/utils.js#L189
- https://github.com/lambdaisland/uri
- https://github.com/lambdaisland/uri/blob/d3355fcd3e235238f4dcd37be97787a84e580072/src/lambdaisland/uri.cljc#L9
- https://github.com/lambdaisland/uri/releases/tag/v1.14.120
Affected packages
Maven / lambdaisland:uri
Package
- Name
- lambdaisland:uri
- View open source insights on deps.dev
- Purl
- pkg:maven/lambdaisland/uri