{
  "schema_version": "1.4.0",
  "id": "GHSA-cp4w-6x4w-v2h5",
  "modified": "2023-03-27T22:31:13Z",
  "published": "2023-03-27T22:31:13Z",
  "aliases": [
    "CVE-2023-28628"
  ],
  "summary": "lambdaisland/uri `authority-regex` returns the wrong authority",
  "details": "### Summary\n`authority-regex` allows an attacker to send malicious URLs to be parsed by the `lambdaisland/uri` and return the wrong authority. This issue is similar to CVE-2020-8910.\n\n### Details\n\nhttps://github.com/lambdaisland/uri/blob/d3355fcd3e235238f4dcd37be97787a84e580072/src/lambdaisland/uri.cljc#L9\n\nThis regex doesn't handle the backslash (`\\`) character in the username correctly, leading to a wrong output.\n**Payload:** `https://example.com\\\\@google.com`\nThe returned host is `google.com`, but the correct host should be `example.com`.\n\n`urllib3` (Python) and `google-closure-library` (Javascript) return `example.com` as the host. Here the correct (or current) regex used by `google-closure-library`:\n\nhttps://github.com/google/closure-library/blob/0e567abedb058e9b194a40cfa3ad4c507653bccf/closure/goog/uri/utils.js#L189\n\n### PoC\n\n```\n(ns poc.core)\n(require '[lambdaisland.uri :refer (uri)])\n\n(def myurl \"https://example.com\\\\@google.com\")\n\n(defn -main\n  []\n   (println myurl)\n   (println (:host (uri myurl)))\n)\n```\n\n\n### Impact\n\nThe library returns the wrong authority, and it can be abused to bypass host restrictions.\n\n### Reference\n\nWHATWG Living URL spec, section 4.4 URL Parsing, host state: https://url.spec.whatwg.org/#url-parsing",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "lambdaisland:uri"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.14.120"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/lambdaisland/uri/security/advisories/GHSA-cp4w-6x4w-v2h5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28628"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lambdaisland/uri/commit/f46db3e84846f79e14bfee0101d9c7a872321820"
    },
    {
      "type": "WEB",
      "url": "https://github.com/google/closure-library/blob/0e567abedb058e9b194a40cfa3ad4c507653bccf/closure/goog/uri/utils.js#L189"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/lambdaisland/uri"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lambdaisland/uri/blob/d3355fcd3e235238f4dcd37be97787a84e580072/src/lambdaisland/uri.cljc#L9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lambdaisland/uri/releases/tag/v1.14.120"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601",
      "CWE-706"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-27T22:31:13Z",
    "nvd_published_at": "2023-03-27T21:15:00Z"
  }
}