GHSA-CP4W-6X4W-V2H5

Vulnerability from github – Published: 2023-03-27 22:31 – Updated: 2023-03-27 22:31
VLAI?
Summary
lambdaisland/uri `authority-regex` returns the wrong authority
Details

Summary

authority-regex allows an attacker to send malicious URLs to be parsed by the lambdaisland/uri and return the wrong authority. This issue is similar to CVE-2020-8910.

Details

https://github.com/lambdaisland/uri/blob/d3355fcd3e235238f4dcd37be97787a84e580072/src/lambdaisland/uri.cljc#L9

This regex doesn't handle the backslash (\) character in the username correctly, leading to a wrong output. Payload: https://example.com\\@google.com The returned host is google.com, but the correct host should be example.com.

urllib3 (Python) and google-closure-library (Javascript) return example.com as the host. Here the correct (or current) regex used by google-closure-library:

https://github.com/google/closure-library/blob/0e567abedb058e9b194a40cfa3ad4c507653bccf/closure/goog/uri/utils.js#L189

PoC

(ns poc.core)
(require '[lambdaisland.uri :refer (uri)])

(def myurl "https://example.com\\@google.com")

(defn -main
  []
   (println myurl)
   (println (:host (uri myurl)))
)

Impact

The library returns the wrong authority, and it can be abused to bypass host restrictions.

Reference

WHATWG Living URL spec, section 4.4 URL Parsing, host state: https://url.spec.whatwg.org/#url-parsing

Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "lambdaisland:uri"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.14.120"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-28628"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601",
      "CWE-706"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-27T22:31:13Z",
    "nvd_published_at": "2023-03-27T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n`authority-regex` allows an attacker to send malicious URLs to be parsed by the `lambdaisland/uri` and return the wrong authority. This issue is similar to CVE-2020-8910.\n\n### Details\n\nhttps://github.com/lambdaisland/uri/blob/d3355fcd3e235238f4dcd37be97787a84e580072/src/lambdaisland/uri.cljc#L9\n\nThis regex doesn\u0027t handle the backslash (`\\`) character in the username correctly, leading to a wrong output.\n**Payload:** `https://example.com\\\\@google.com`\nThe returned host is `google.com`, but the correct host should be `example.com`.\n\n`urllib3` (Python) and `google-closure-library` (Javascript) return `example.com` as the host. Here the correct (or current) regex used by `google-closure-library`:\n\nhttps://github.com/google/closure-library/blob/0e567abedb058e9b194a40cfa3ad4c507653bccf/closure/goog/uri/utils.js#L189\n\n### PoC\n\n```\n(ns poc.core)\n(require \u0027[lambdaisland.uri :refer (uri)])\n\n(def myurl \"https://example.com\\\\@google.com\")\n\n(defn -main\n  []\n   (println myurl)\n   (println (:host (uri myurl)))\n)\n```\n\n\n### Impact\n\nThe library returns the wrong authority, and it can be abused to bypass host restrictions.\n\n### Reference\n\nWHATWG Living URL spec, section 4.4 URL Parsing, host state: https://url.spec.whatwg.org/#url-parsing",
  "id": "GHSA-cp4w-6x4w-v2h5",
  "modified": "2023-03-27T22:31:13Z",
  "published": "2023-03-27T22:31:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/lambdaisland/uri/security/advisories/GHSA-cp4w-6x4w-v2h5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28628"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lambdaisland/uri/commit/f46db3e84846f79e14bfee0101d9c7a872321820"
    },
    {
      "type": "WEB",
      "url": "https://github.com/google/closure-library/blob/0e567abedb058e9b194a40cfa3ad4c507653bccf/closure/goog/uri/utils.js#L189"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/lambdaisland/uri"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lambdaisland/uri/blob/d3355fcd3e235238f4dcd37be97787a84e580072/src/lambdaisland/uri.cljc#L9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lambdaisland/uri/releases/tag/v1.14.120"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "lambdaisland/uri `authority-regex` returns the wrong authority"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.