Source: lambdaisland-uri-clojure Version: 1.13.95-2 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for lambdaisland-uri-clojure. CVE-2023-28628[0]: | lambdaisland/uri is a pure Clojure/ClojureScript URI library. In | versions prior to 1.14.120 `authority-regex` allows an attacker to | send malicious URLs to be parsed by the `lambdaisland/uri` and | return the wrong authority. This issue is similar to but distinct | from CVE-2020-8910. The regex in question doesn't handle the | backslash (`\`) character in the username correctly, leading to a | wrong output. ex. a payload of `https://example.com\\@google.com` | would return that the host is `google.com`, but the correct host | should be `example.com`. Given that the library returns the wrong | authority this may be abused to bypass host restrictions depending | on how the library is used in an application. Users are advised to | upgrade. There are no known workarounds for this vulnerability. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-28628 https://www.cve.org/CVERecord?id=CVE-2023-28628 [1] https://github.com/lambdaisland/uri/security/advisories/GHSA-cp4w-6x4w-v2h5 [2] https://github.com/lambdaisland/uri/commit/67063ed439dd0843536f27e8cde40a8a7d69f37b Regards, Salvatore
